0

I have login system in my site and users have to pay for using my site. As they have to pay, I am afraid that one user may share his username and password with another users. So I have to set my login system in such way that no user can use more than one browser at a time. But they can change the browser from time to time (not at the same time but different periods of a day). How can I implement that by php? Any idea?

stockBoi
  • 287
  • 2
  • 9
  • 26

5 Answers5

2

You could generate a token/hash from their session ID whenever they log in. Add this token as a cookie value and then store it in the database. If the user is logged in and their cookie value doesn't match the value stored in the database, then they've probably logged in somewhere else.

Wayne Whitty
  • 19,513
  • 7
  • 44
  • 66
  • But I want that one user can log in from different browsers in different period of time, not at the same time. As for example, he may login from office at morning and from home at evening. If I use your solution, then he will not be able to login from home at evening after logged in from office at morning. How to resolve that? – stockBoi Nov 30 '13 at 14:09
  • But he can't log in from 2 pc from his office at morning or evening at the same time – stockBoi Nov 30 '13 at 14:10
0

Detect his IP and on every change make him add the computer (like Steam does it) and set a flag with last access date. On each action he makes update the field (like an online system) if no activity present in 10 minutes from other 'computers' he is accessing only 1 , you can`t prevent this because people can be ignorant, even if you make them enter sensible data to make him more sceptical in giving his credential is futile...

ka_lin
  • 9,329
  • 6
  • 35
  • 56
0

The only way which comes to my mind is you can keep a flag(a table column) in the database once the user logged in. So if he tries to login again, you will check if the flag is set. If it is set, then you can give error.. And remember to reset that flag once the user logged out..

A.M.N.Bandara
  • 1,490
  • 15
  • 32
  • Your solution is more practical. But one problem is there. If the user sets 'remember me' feature and want to use another browser (likes he used my site from his office and in evening from his home, both have remember feature enabled), then he can't enter either from home or office pc without loggin out from the another one. How to resolve that? – stockBoi Nov 30 '13 at 14:04
0

Try checking the ip, or use 2 factor authentication.

(for example require the user to click a link in his e-mails to login)

user2674567
  • 1
  • 4
  • You can check his/her IP, but you can't rely on it, especially when the user has a dynamic IP. If a user pays for this service and they can't use it properly because they just so happen to have a dynamic IP address, they'll be pissed. – Wayne Whitty Nov 30 '13 at 14:01
  • Then go with 2 way authentication – user2674567 Nov 30 '13 at 14:02
0

Use helper javascript preloader to collect non-personal browser information and generate a hash from login time/account/IP/browser info.

Check on server side that no more than one hashes are active per user account at a time and force logout on former ones if that happens. Use another client-side javascript to periodically ping server and check hash uniqueness and seamlessly re-login legitimate users for "dynamic IP" use case.

Thus if user shares his account with another user they will keep constantly "kicking" each other out of site until annoyed enough to pay for second account.

shomeax
  • 855
  • 6
  • 12