Hello there,
Goal: Preventing multiple user login using the same username & password
from different location (
Simoltanous Login)
Options Available:
1) IP Checking: One way to prevent multiple people from using the same
account to gain access to a
restricted area of a site is to store their IP address in a database
table, along with the "time()"
they first logged in. You would then have to check the users IP address
on subsequent pages against the
value stored in the database to make sure that the user is still using
the same IP to view the page. If
the user has a different IP, we would prevent the user from login in and
display a message saying "You
are Currently Logged In from Another Location! Please Log from the other
location and try again" (or
something like that). This check is usually done at given time intervals
(say every 5 minutes or so)
Problem with Method: Several Internet Service Providers like AOL, change
the users IP Address every few
minutes. So this could potentially lock your REAL user out of the system
as well. There are also some
problems with Proxy Based connections.
2) Session ID Tracking: A similar idea to method 1, except that you
would store the SESSION ID in the
database, and instead of checking the IP, you would then compare the
users SESSION ID to verify that
the user is still the same user. The advantage of thsi method is that it
does not depend on the users
IP. Therefore AOL users will not have a problem with this login system.
Problem with Method: Although the SESSION ID is unique for current
active user, it can be assigned by
server to any other later on. Plus you may have problems with Session ID
based login system, if you use
a shared Webhost.
3) Boolean Login Field: With this method, you would basically create a
boolean field in your database,
and set the value to TRUE if the user is logged in, or false if the user
is not. Again, to check if the
user is still logged in, you would have to use a timestamp like previous
methods to see if the user has
been inactive for more then a specific period of time, and reset the
Boolean database field value to
false if the user is inactive (This could basically either mean that the
user just closed his web
browser and left, or that he took a longer then usual lunch break and
forgot about your site).
Or if the browser crashes valid user is left in the muddle.
Problem with Method: The basic problem with this method (as with the
other two methods), is that if you
set a time period (say 5 minutes) to give the visitor to go to the next
page and verify that he is
still alive and on your site, if the visitor takes longer then 5 minutes
to move on to the next page,
he will be locked out of the system for ANOTHER 5 minutes (until the
system clears the hold on his
account).
THE QUESTION:
Here is my main question about this whole issue. Is there a better way
of performing this task that
will not require the setting of a time interval to see if the user is
still logged in? IS THERE A GOOD SOLUTION TO THIS ISSUE???
Many Thanks in advance,
Regards,
Sarith
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
