The drawback could probably be at least partially mitigated with an inactivity
timeout. When they attempt to login, you check both the flag and the last time
you heard from them. If they had timed out, then you log them out and let them
go ahead and try to log in. It does cost an extra database write on each request
though, to keep the "last activity" time up to date.
Wes
Robert Landrum <[EMAIL PROTECTED]> on 08/01/2002 03:28:05
PM
To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
cc: (bcc: Wesley Sheldahl/Lex/Lexmark)
Subject: Re: [Newbie Q] Cleanest way to implement one logon per user?
On Thu, Aug 01, 2002 at 03:08:40PM -0400, Baljit Sethi wrote:
> Hello.
>
> I am hoping someone can point me in the right direction.
>
> What I want to do is limit client logons to one logon per username ie while
> a client has a session open, he/she cannot logon to the website from another
> terminal.
The problem isn't determining when they've logged in, but determining when
they've logged out.
While it may be possible to write a record to the db that contains username,
password, and IP address, it does not gaurentee that the user's ip address
will not change mid session. (cable modem disconnect and reconnects with new ip,
transparent to the user.)
The short answer is, you can't. The long answer is that you can, but it takes
way more work than it's worth.
The only way I've seen is to set a cookie (encrypted) on the client's machine
and flag the user as logged in. If the user tries to log in again (from
anywhere), it rejects it. Only if the original client connects and clicks
logout (and the cookie still exists) does it actually remove the flag (and
the cookie).
The drawback here is that if any user ever deletes their cookies before
logging out, they're screwed, and will call asking you to fix it.
Good luck,
Rob
