Posted by Richard Levasseur on 02/11/06 08:48

I think gordon is onto a better solution.
Store the current session id and remote ip address in the database. ip
address also because they could simply modify the session id being
sent.

Additionally, there should only be *one* record per user account,
session id, and remote ip address, ie: unique sid, unique uid, and
unique uid-sid-ip. ip isn't unique unless you want to block different
accounts behind a shared internet connection.

Looping through every session, opening it, and searching for a
substring will take much longer than simply comparing two strings and
destroying a session.

Process:
On user login, destroy the previous session if the old session id
doesn't match the current session id or if the current ip doesn't match
the older ip.
Otherwise, store the new session ID and remote ip address for that
user.
If the user doesn't have a record, create it and allow the login.

Keep track of the last login time, too. If there are requests from
multiple IP's with the same account in a short period of time, then you
can lock the account, send them an email, alert your staff, you know,
raise a red flag of some sort.

This will allow a single user to have multiple windows open for the
website (assuming they 'open link in new window/tab') as the session
id's sent by all those windows will be the same.

It won't prevent sharing of an account if there is a home
gateway/router. But really, if thats the case, they can (and probably
would anyways) share the file over the local network. Either way, they
are still using the same connection and will be fighting for bandwidth.

in code, ala;

$oldid, $oldip = select sessionid, ip from table where user=$user
if($sid != $oldid || $ip != $oldip) {
destroy_session($oldid);
destroy_session($sid);
logout($user);
// do time calculation to flag shared accounts
gotoLogin();
} else {
// proceed with login
}

[Back to original message]