How to Prevent Multiple Logins in PHP Website

How to prevent multiple logins in PHP website

(Please note, that whilst the technique here is still somewhat valid; the PHP samples should not be copied verbatim as there are safer means of incorporating user-supplied values in a SQL query)

Instead of storing whether the user is active\inactive, it is better to store some attribute which can be checked against the user on a per-action basis; as in, every time the user tries to do something which requires authentication, it will check to see that this attribute matches before it proceeds.

I recommend you do the following;

First, create a hash to uniquely identify the user whenever they log in. I'd imagine that a sha1 of time() would be enough to avoid collisions. Whatever you choose, make sure that it is varied enough so that another user logging in will have a incredibly low chance of receiving the same hash (for example, don't hash the IP address or browser's user-agent, as these are not varied enough).

Second, store this hash in your database and in the user's session at the time of log in. Doing so will effectively 'log out' the previous user, as the hash should be different each time someone logs in.

Since we're using sessions, a cookie should be automatically placed in the user's browser which will contain a unique ID that identifies the user to his or her session data. The contents of the cookie are not really of concern.

Next, create a function called authenticateUser() or similar, which will be called at the start of every script to ensure the user is authenticated. This script should query the database, checking to see whether a user with your user's ID has a hash that matches your user's hash.

For example:

function authenticateUser($id, $hash, $databaseLink) {
    # SQL
    $sql = 'SELECT EXISTS(
               SELECT 1
               FROM `tbl_users`
               WHERE `id` = \''.mysql_real_escape_string($id).'\'
               AND `hash` = \''.mysql_real_escape_string($hash).'\'
               LIMIT 1
           );';

    # Run Query
    if ($query = mysql_query($sql, $databaseLink)) {
        # Get the first row of the results
        # Assuming 'id' is your primary key, there
        # should only ever be one row anyway.       
        $result = mysql_fetch_row($query);

        # Casting to boolean isn't strictly necessary here
        # its included to indicate the mysql result should
        # only ever been 1 or 0.
        return (bool)($result[0]);
    } else {
        # Query error :(
        return false;
    }
}

Then, we simply pass authenticateUser() the user's ID, hash (per your session data) and a database link (for a database connection you will have to have opened earlier).

If authenticateUser() returns true, the user is authenticated. If false, the user is not OR the database is unavailable or there is an SQL error.

Please note however that this will increase your server load as a database request is sent once per page request. It is probably not all that wise to do this on giant projects where thousands of people are logging in at any given time. I'm sure someone can suggest improvements.

Also, waiting for the cookie to expire is not the best way to force people who have been inactive to log out, as you should never trust cookies. Instead, you can add in an column called last_active which you can update every time the user is authenticated. This will also increase server load, but will allow you to manually override stale log-ins by removing the hash for users who were, say, inactive for 3 hours.

How to prevent multiple logins from same user?

Take a look at this it protect you from Cross-Site Request Forgery and you can check if user had logged in.
Try: save csrf token to db, then check if users token same that in db...
If not: unset cookie and session for this user and return him to Sign In page;
If yes: do your stuff

Best way to prevent simultaneous login

If your end goal is to have it so that any given account can only be logged into one machine at a time, generate a unique ID at login and write that ID to the database for that user. Set that ID as a cookie for the user. When you receive traffic from that user, only consider them logged in if their cookie matches the value in the database.

When the user logs in to a new device, a new unique ID is generated and sent as a cookie to that new device. The new device's traffic has a cookie that matches the database, and is therefore considered logged in. When the old device visits your application, the login cookie no longer matches the value in the database, so that user is considered logged out.

When the old device logs in again, a new unique ID is generated in the database and sent as a cookie to that device. They are now logged in, because their cookie matches. The second device, having its cookie no longer match the database, is logged out.

How to Prevent Concurrent User Logins in PHP/MySQL Site?

If it is OK to logout an already logged in user if someone else logs in with the same credentials then you could do the following: when a user logs in generate a random ID in your database for that user and the same in a cookie session. The two must match to authenticate.

How to prevent multiple authentication in a web app / site?

I usually let them ping-pong: A custom session_save_handler which stores the session in a database, with an extra field for user-id (session_id char, session_data blob, session_user int or char). A successful login-attempt destroys / deletes all other other sessions with that specific user-id, and you could even log the number of times this DELETE statement actually deletes rows, with a counter somewhere to block people clearly excessively 'deleting' sessions. People switching computers / locations / browsers still can get work done instantly after login, users sharing authentication will keep on logging each other out, and increasing your counter until some arbitrary limit you deem appropriate, in which case you can disable / lock out the account.

How to prevent multiple login in same browser using php

In the loginController you need to check if session variable is set.If so then redirect the user to the member page or similar..

This might work

<?php
session_start();
if(!empty($_SESSION['username']))
{
    header("location : member.php");
    die();
}
?>

Related Topics

Authenticating in PHP Using Ldap Through Active Directory

How to Define an Empty Object in PHP

What Is a Good Parser Generator for PHP

Which Is the Best Way to Generate Excel Output in PHP

PHP File Upload: Mime or Extension Based Verification

How to Use Special Characters in Recipients Name When Using PHP's Mail Function

How to Remove Attributes from an HTML Tag

How to Display Only One Country or a Specific Area in Google Maps Using the API

Echo Menu Tree with Recursive Function

How to Load CSS File in Codeigniter

Woocommerce Change Loading Spinner Icon

Clean Links to PHP-Generated JavaScript and CSS

Remove or Hide "Add New" Button on Woocommerce on Bulk Order Panel

How to Format Excel File with Styles, Fonts, Colors, Tables etc with Pure PHP

Replace Woocommerce_Add_Order_Item_Meta Hook in Woocommerce 3.4

Removing Last Comma in PHP

Facebook Connect- $User_Id = $Facebook->Getuser(); Always Returning 0

Reverse the Letters in Each Word of a String


Leave a reply



Submit