1

I know this is a recursive question, but, I haven't found a new solution, or a solution based on the new frontend frameworks or technologies.

I've a Vue + PHP application that users can olny log once per time. My current solution to block concurrent access is making a call to a PHP page with Ajax from 5 to 5 minutes storing the time. I store a flag in DB too, whether it has been registered or not. So, when the user try to log in, I check if the time is greater than 6 minutes or the flag is set to 0.

I think this is not the best way to do this. When the application has too many users it can cause too much load on the server.

There is a way to do like Netflix? An warn when triyng to connect and was logged in another machine.

Felipe Thomas
  • 63
  • 1
  • 8
  • Possible duplicate of [How to prevent multiple logins in PHP website](https://stackoverflow.com/questions/1727919/how-to-prevent-multiple-logins-in-php-website) – Adam Jul 20 '18 at 14:52
  • "When the application has too many users it can cause too much load on the server." You should fix this issue, not drive your users bonkers. – ceejayoz Jul 20 '18 at 14:57
  • 1
    @Dammeul, i saw this solution, but I want something like Netflix. An warn when user try to log in and the user was logged in another machine. – Felipe Thomas Jul 20 '18 at 15:00
  • 3
    When the second user logs in, either purge all the other sessions for that user (new login gets preference) or simply fail the auth if an existing session exists (old login gets preference.) – Alex Howansky Jul 20 '18 at 15:06

2 Answers2

5

If your end goal is to have it so that any given account can only be logged into one machine at a time, generate a unique ID at login and write that ID to the database for that user. Set that ID as a cookie for the user. When you receive traffic from that user, only consider them logged in if their cookie matches the value in the database.

When the user logs in to a new device, a new unique ID is generated and sent as a cookie to that new device. The new device's traffic has a cookie that matches the database, and is therefore considered logged in. When the old device visits your application, the login cookie no longer matches the value in the database, so that user is considered logged out.

When the old device logs in again, a new unique ID is generated in the database and sent as a cookie to that device. They are now logged in, because their cookie matches. The second device, having its cookie no longer match the database, is logged out.

Charles Stover
  • 1,132
  • 6
  • 13
  • Cool. then It is necessary that if the user logged in requests to the application, the application has to read DB so as to check if the cookie is valid or not for every single time? – David kim Oct 28 '21 at 02:02
  • What if they share cookie and token with other user? – Abhigyan Tiwari Sep 05 '22 at 11:54
1

This solution doesn't require you to access the database on every page, reducing database load significantly.

Add a field for sessionID to your user table in the database.

Set the default session handler before calling session_start() (needed for the next line of code to work):

session_set_save_handler(new \SessionHandler());

On every successful login, retrieve the stored $sessionID from the database. Destroy the old session with:

(new \SessionHandler())->destroy($sessionID);

Get the new session ID with:

$sessionID = session_id();

Store the new session ID to the database.

Kai Pommerenke
  • 886
  • 7
  • 9