Karl DeSaulniers wrote:
On May 22, 2010, at 3:37 PM, Robert Cummings wrote:
This was beaten to death last week. The solution is not possible
because it's not about restricting a single user from logging over
multiple machines, it about restricting a single computer to only
one session (so running IE, Firefox, Opera, Safari on same computer
with different users would not be allowed).
>
Sorry for the top posting.
Ah, I see. Don't mean to beat a dead horse.
I still stand by my suggestion though.
If you record the username and ip in an active user table,
then set a cookie on the computer that is cross referenced with the
ip and username,
you will have a little better check system.
Also, if you set a fall back that say checks to see if the cookie is
being reset or set for the first time or if the cookie has been
deleted, you can kick them.
Set the cookie to expire and be reset while in session to check to
see if it changes while the user is logged in.
Basically, if you check for log-in status from the active user table
and cross reference the ip,
it will probably cover say 75% of the cases. Using the cookie and
putting strict requirements
for the cookie to have been pre-existing with the right ip or if it
is being set for the first time,
you will have a little more control. Plus you could create a blob of
ips that is referenced with
each username that can be cross referenced to see if a user has
multiple ip sets or if two users have a similar ip.
Thus a little more granular control on the computers accessing your
site.
But like having an expensive painting in your house,
if the thief is going to put that much work in to get it, chances are
they will.
Just make sure its insured. :)
It doesn't work that way though because the session cookie is only valid
for the browser to which it is issued. A cookie issued to a Firefox
connection is completely disjoint from a cookie issued to a Chrome
session or an Opera session or (eeek) an IE session. Additionally, you
can't record the IP address since many universities and other more
populated points of connection use IP sharing. The problem goes further,
imagine you could get a hold of the MAC Address... there's nothing
stopping someone from spoofing it or running a virtual machine within
the same machine to open another connection. I hope this helps
crystalize the issue :)
Cheers,
Rob.
--
E-Mail Disclaimer: Information contained in this message and any
attached documents is considered confidential and legally protected.
This message is intended solely for the addressee(s). Disclosure,
copying, and distribution are prohibited unless authorized.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
