Hi there Gilead,

My first thought on this is to have a 'logged_in' column as an Enum('1','0') field with the boolean set to '0' as default, then just setup a regular check to see if the user/session is still there, if not, return the entry to its default.

Then just pop a function on your code (before page data is set up) for a check to see if the column that is associated with the $_SESSION/$_COOKIE data is either returnin true or false, post login check obviously!

Hope that makes sense.

Cheers,
MRb

whats the problem with letting them login with another browser? as long as they have the correct password then there's no reason to think that they are doing something wrong.

>>whats the problem with letting them login with another browser?

It's amazing what some clients ask for! I had something similar as a request last year. They only wanted 'single instance' logging..

Cheers,
MRb

Save the current session ID to the table where you have the user login data.

On page loads check if the current session ID is the same as the database.

What should happen if they try to login from another browser whilst already logged in elsewhere?

...then just setup a regular check to see if the user/session is still there, if not, return the entry to its default.

What if the user closes/crashes the browser without logging out? Isn't the session still active, as far as the server is concerned, until it times out (24 mins)?

I just wanted to prevent potential security problems. If a single user can log in, then someone else, potentially, could log in with the same account and mess things around. I was using a different browser to simulate another person logging into the same account.

All these solutions are great for testing if the user is logged in already. None address the real issue which is:

"How do you know when they log out if they restart their computer or close the browser?"

You need to log each page load on the server. Then you need to have a system function that runs in the background every X seconds and checks for logged in users and their last page load. If a logged in user's last page load was X minutes ago, you can consider the session over and you can reset the "logged in" status.

Something to consider. If someone can login as someone else then you have a bigger problem and setting it up so that only one of them can be logged in at a time won't address the problem that someone is able to login as someone else.

cron job maybe?
I know one thing, this is getting too complicated for me at this level.

I just wanted to prevent potential security problems. If a single user can log in, then someone else, potentially, could log in with the same account and mess things around.

i think you are complicating things for no reason. as long as they have the correct password to login then there are no security problems. what could happen? if they've got the password then they must be legit.

Why does session expiration have to be run in the background?

What's wrong with integrating it into session checks? I.e. instead of just looking for the existence of relevant sessions, also check their last access/update time and expire the session if too old.

There are many scenarios why you only want one user logged into one account at the same time. For example when you want to discourage sharing of accounts.

But usually this problem is not solved by preventing a second login but by destroying the old session when another user logs into the same account and starts a new session. The normal solution is to close the first session and not prevent the second.

Safe the current session id in the database at login and check if it matches with every page load. If it does not match, then destroy the session and display an error message - that another user has logged in from a different browser or computer.

Else you will always have the problem that a user gets locked out until the session expires when he closes his browser without clicking on "log out" first. And let's face it: Nobody ever clicks on "log out".

>>And let's face it: Nobody ever clicks on "log out".

That's not true, you can't state that as concrete. There is always someone out there who will do that, shared PC's or public terminals for starters.

>>None address the real issue which is: "How do you know when they log out if they restart their computer or close the browser?"

Well, that's exactly what having the enum() field in your database could be used for - this in conjunction with a cron job does exactly that. This will monitor your login and can be made so that only 1 distinct successful login can be done at a time. Though I thoroughly discourage this.

Cheers,
MRb

Either that, or I have completely missed the point.

That's not true, you can't state that as concrete. There is always someone out there who will do that, shared PC's or public terminals for starters.

Maybe some people do it, but you can't rely on that.

That's why most systems that allow only one log in at a time achieve this by closing all previous sessions when a new log in occurs. Not by blocking new login attempts.

If you block new log in attempts because somebody has not logged out properly this is pretty annoying because this requires either that the user waits until enough time has passed and the system considers the previous session as closed, or you have to implement a feature that allows the user to force the end of the previous session. Like sending an email with a confirmation link.