|  | Posted by tg-php on 06/13/52 11:34 
Where I work, the system that was set up before I got here uses session ID and a timeout of a couple of hours.  I'm pretty sure that there's a good chance that two people would not be issued the same session ID within a short period of time.  Certainly not within say 4 hours.
 Maybe someone has a better way, but I'd say this works out ok for us so far.
 
 -TG
 
 = = = Original message = = =
 
 Hello there,
 
 Goal: Preventing multiple user login using the same username & password
 from different location (
 Simoltanous Login)
 
 Options Available:
 
 1) IP Checking: One way to prevent multiple people from using the same
 account to gain access to a
 restricted area of a site is to store their IP address in a database
 table, along with the "time()"
 they first logged in. You would then have to check the users IP address
 on subsequent pages against the
 value stored in the database to make sure that the user is still using
 the same IP to view the page. If
 the user has a different IP, we would prevent the user from login in and
 display a message saying "You
 are Currently Logged In from Another Location! Please Log from the other
 location and try again" (or
 something like that). This check is usually done at given time intervals
 (say every 5 minutes or so)
 
 Problem with Method: Several Internet Service Providers like AOL, change
 the users IP Address every few
 minutes. So this could potentially lock your REAL user out of the system
 as well. There are also some
 problems with Proxy Based connections.
 
 2) Session ID Tracking: A similar idea to method 1, except that you
 would store the SESSION ID in the
 database, and instead of checking the IP, you would then compare the
 users SESSION ID to verify that
 the user is still the same user. The advantage of thsi method is that it
 does not depend on the users
 IP. Therefore AOL users will not have a problem with this login system.
 
 Problem with Method: Although the SESSION ID is unique for current
 active user, it can be assigned by
 server to any other later on. Plus you may have problems with Session ID
 based login system, if you use
 a shared Webhost.
 
 3) Boolean Login Field: With this method, you would basically create a
 boolean field in your database,
 and set the value to TRUE if the user is logged in, or false if the user
 is not. Again, to check if the
 user is still logged in, you would have to use a timestamp like previous
 methods to see if the user has
 been inactive for more then a specific period of time, and reset the
 Boolean database field value to
 false if the user is inactive (This could basically either mean that the
 user just closed his web
 browser and left, or that he took a longer then usual lunch break and
 forgot about your site).
 Or if the browser crashes valid user is left in the muddle.
 
 Problem with Method: The basic problem with this method (as with the
 other two methods), is that if you
 set a time period (say 5 minutes) to give the visitor to go to the next
 page and verify that he is
 still alive and on your site, if the visitor takes longer then 5 minutes
 to move on to the next page,
 he will be locked out of the system for ANOTHER 5 minutes (until the
 system clears the hold on his
 account).
 
 THE QUESTION:
 
 Here is my main question about this whole issue. Is there a better way
 of performing this task that
 will not require the setting of a time interval to see if the user is
 still logged in? IS THERE A GOOD SOLUTION TO THIS ISSUE???
 
 Many Thanks in advance,
 Regards,
 Sarith
 
 
 ___________________________________________________________
 Sent by ePrompter, the premier email notification software.
 Free download at http://www.ePrompter.com.
  Navigation: [Reply to this message] |