> In other words, how do we prevent two users from using the same password to access the same account at the same time? There are a few strategies I'd consider... each has plusses and minuses. 1) Lock to one IP. Keep a table with the most recent IP address, and the most recent access time. Any requests coming in within (x) minutes of the last request, but with a new IP address are blocked. Downside, people with rotating IP addresses (doesn't AOL do this?) will be virtually unable to use the system. Also, people who switch connections in less time than (x) minutes will have to wait for their login to expire before re-connecting, unless they explicitly log out. 2) Lock to a GUID in a session variable. Keep some sort of GUID in a session variable open with the logged in user's session. Tag that user's account with the GUID (or even, I suppose, with the session identifier?) and the last access time. If a new request comes in with a different session identifier, within a (x) minutes of the last request, block it. Downside, people who switch connections (or who close and reopen their browsers) in less time than (x) minutes will have to wait for their login to expire before re-connecting, unless they explicitly log out. 3) Prevent flip-flops. Choose either of the above two methods, and if the user's data changes, track that in a table which tracks the 3 (or 5, or whatever) most recent distinct connections. If a PREVIOUS connection attempts to interact within a certain time window, lock out one or both for a certain period. Advantage - allows a user to recover from an inadvertent disconnection gracefully. Disadvantage - malicious users who manage to somehow steal the connection information could deny service and can inject transactions until the existing connection attempts a new action. I'd probably go with 3, but it is more work. Very curious to hear what others are thinking, though. -P -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
