Hi,

I am developing an e-commerce website that will allow registered users access to articles and information available in the database. Each registered user will have a unique login to gain access to the website, but I do not want each user to pass their login details to friends/colleagues, rather I want each user to pay for their own access. To get round this I am wanting to ensure that when a user logs in to the website, no-one else can login at the same time using their login details.

What I was thinking of doing was: when a user logs in, their session ID is stored in the database. If another user trys to log in using the same login details, the server checks to see if the sessionID that is stored in the database against that users details is still valid and therefore refuses access. Users can obviously log themselves out of the server which will abandon the session and remove the sessionID from the database.

This gets round the problem that if a user accesses the website from home and work, even if they forget to log themselves out when they leave work, the session will expire and so allow them to login when they get home.

I would rather user the session ID than an IP, purely for the reason that some users will be accessing the site from various locations and I dont want them to accidently forget to log themselves out at one location and therefore prevent them gaining access until they get back to the office the next day.

What I need to know is:

Is this a logical way to do this, or am I missing something really obvious?

and

I know how to get the sessionID and store it in the database, but how do I get the server to check if a session ID is still valid when someone tries to login but there is a session variable still stored against that users login details?

Hii goingmad!!

It's difficult to manage by sessionid, since it's a unique for current active user ,but can be assignd by server to any other later on.

My idea is that put a enable flag, and ip address combination.
When user is loggin from home while at the same time forget to logout on his office, You can check this enableflag and Ip address, if this is not the same as then abandon both the user ,(how u know which one is correct user) redirect to the login page.
enable flag stored on the database

1)If user try to loggin,
if login_id passowrd Match
     check whether enable flag=Y
      {if it is yes ,another user has already logged in with this id and pwd,
       abandon both the user ,or as per ur application
       }
  else{ stored enable flag to the database and set it to Y
        }

.Make sure that at logout ,aur session_onEnd you are make clear or set it to "N" .
since session timeout occurs if user not perform any activity after 20 mints,it will clear the enable falg or set it to "N"
Hope this will help you
Please if you any other idea ,please do post


Cheers :)

vinod

hi,
i have a same problem here
www.onlinesrilanka.com/friends
here some friends get others password and their sending mail for other friends,
i need to stop that. how it's possible.
or can i store the visitros ip? if i store that ip can i make any legal action from them? please give me a good idea.

surendran
(Anything is Possible)

Hiya,

Why not try this:

When the user logs in, store the session id in a database with the users name.

If the user trys to login again and the session id does not match the one on file then block the second login.

When the user logs out (or when the session simply expires or ends "Sub Session_OnEnd" remove the session id and user from the table (pos called "user-locks") allowing a new session to be created.

Hope this helps:),
Peter Hart

Respected sir
I am facing a problem in our website www.kompz.com/skool
multiple user login with same user and pwd,this website in php and mysql.so i need actual code to prevent this with session.
please send me code as soon as possible in PHP & Mysql.
Thank you


satish