Re: Restrict account access to single user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> In other words, how do we prevent two users from using the same password
to access the same account at the same time?

There are a few strategies I'd consider... each has plusses and minuses.

1) Lock to one IP.  Keep a table with the most recent IP address, and the
most recent access time.  Any requests coming in within (x) minutes of the
last request, but with a new IP address are blocked.  Downside, people with
rotating IP addresses (doesn't AOL do this?) will be virtually unable to use
the system.  Also, people who switch connections in less time than (x)
minutes will have to wait for their login to expire before re-connecting,
unless they explicitly log out.

2) Lock to a GUID in a session variable.  Keep some sort of GUID in a
session variable open with the logged in user's session.  Tag that user's
account with the GUID (or even, I suppose, with the session identifier?) and
the last access time.  If a new request comes in with a different session
identifier, within a (x) minutes of the last request, block it.  Downside,
people who switch connections (or who close and reopen their browsers) in
less time than (x) minutes will have to wait for their login to expire
before re-connecting, unless they explicitly log out.

3) Prevent flip-flops.  Choose either of the above two methods, and if the
user's data changes, track that in a table which tracks the 3 (or 5, or
whatever) most recent distinct connections.  If a PREVIOUS connection
attempts to interact within a certain time window, lock out one or both for
a certain period.  Advantage - allows a user to recover from an inadvertent
disconnection gracefully.  Disadvantage - malicious users who manage to
somehow steal the connection information could deny service and can inject
transactions until the existing connection attempts a new action.

I'd probably go with 3, but it is more work.

Very curious to hear what others are thinking, though.
-P


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux