0

I am developing secure login system with php. I want to prevent multiple login for user with same username and password. With my script user can login on account from different browsers or from different IP with same username and password. I need to add some column on my database. When user logged in field becomes 1, and account is locked, when user logged out account is unlocked. But what if user close the browser without logout?

dusan
  • 19
  • 1
  • 5
  • you can set expiration time of the session, if one does not click anywhere for 5 mins to change this column in database – Royal Bg May 09 '14 at 13:07
  • Cronjob to check for inactivity – Daan May 09 '14 at 13:07
  • You can do something in reaction of the JavaScript event which raises if the user closes the window or relocates to another website. But that's weird. Maybe open an session which closes automalically after a time of inactivity. Then restore the login state. – vandango May 09 '14 at 13:09
  • better no such thing to implement, which can trick itself, and make the field to remain `1` forever – Royal Bg May 09 '14 at 13:12
  • Store the signon (or last activity) timestamp along with the "signed on" flag. If they try signing on with a "1" flag, see if they've been inactive long enough that you can assume they walked away from the old session. Then kill the old session and allow the new signon. "Long enough" is up to you to decide. Don't forget to try to clean up any session cookies, but be aware that they could be on a different machine or browser now. – Phil Perry May 09 '14 at 15:02

1 Answers1

2

You can set a random salt on login and store it in the database and in a cookie in the user.

On each login you will generate a new random salt and store it in the database (replacing the previous value) and in a cookie for the current user.

For each action on your site you will check not only for the session but for the salt too - if the salt in the user session is different for the current user - that means somebody logged-on after him with the same credentials and you will invalidate the current session. That way you will have the required functionality and you will not have trouble with users not logging out because each time a user logs in it will invalidate all other users logged-in with the same credentials.

Дамян Станчев
  • 2,654
  • 5
  • 30
  • 53