Where I work, the system that was set up before I got here uses session ID and a timeout of a couple of hours. I'm pretty sure that there's a good chance that two people would not be issued the same session ID within a short period of time. Certainly not within say 4 hours. Maybe someone has a better way, but I'd say this works out ok for us so far. -TG = = = Original message = = = Hello there, Goal: Preventing multiple user login using the same username & password from different location ( Simoltanous Login) Options Available: 1) IP Checking: One way to prevent multiple people from using the same account to gain access to a restricted area of a site is to store their IP address in a database table, along with the "time()" they first logged in. You would then have to check the users IP address on subsequent pages against the value stored in the database to make sure that the user is still using the same IP to view the page. If the user has a different IP, we would prevent the user from login in and display a message saying "You are Currently Logged In from Another Location! Please Log from the other location and try again" (or something like that). This check is usually done at given time intervals (say every 5 minutes or so) Problem with Method: Several Internet Service Providers like AOL, change the users IP Address every few minutes. So this could potentially lock your REAL user out of the system as well. There are also some problems with Proxy Based connections. 2) Session ID Tracking: A similar idea to method 1, except that you would store the SESSION ID in the database, and instead of checking the IP, you would then compare the users SESSION ID to verify that the user is still the same user. The advantage of thsi method is that it does not depend on the users IP. Therefore AOL users will not have a problem with this login system. Problem with Method: Although the SESSION ID is unique for current active user, it can be assigned by server to any other later on. Plus you may have problems with Session ID based login system, if you use a shared Webhost. 3) Boolean Login Field: With this method, you would basically create a boolean field in your database, and set the value to TRUE if the user is logged in, or false if the user is not. Again, to check if the user is still logged in, you would have to use a timestamp like previous methods to see if the user has been inactive for more then a specific period of time, and reset the Boolean database field value to false if the user is inactive (This could basically either mean that the user just closed his web browser and left, or that he took a longer then usual lunch break and forgot about your site). Or if the browser crashes valid user is left in the muddle. Problem with Method: The basic problem with this method (as with the other two methods), is that if you set a time period (say 5 minutes) to give the visitor to go to the next page and verify that he is still alive and on your site, if the visitor takes longer then 5 minutes to move on to the next page, he will be locked out of the system for ANOTHER 5 minutes (until the system clears the hold on his account). THE QUESTION: Here is my main question about this whole issue. Is there a better way of performing this task that will not require the setting of a time interval to see if the user is still logged in? IS THERE A GOOD SOLUTION TO THIS ISSUE??? Many Thanks in advance, Regards, Sarith ___________________________________________________________ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
