Todd White <[EMAIL PROTECTED]> writes: > i'm sure this is not a novel need, but i have failed to find or come up > with just yet any (non-cookie) solution yet. i'm trying dearly to avoid > cookies, but if that's the best or only way to do this, feel free to speak > up. i'd love to hear from someone who has already tackled the problem of > stopping concurrent web logins to a protected web space. > > realizing that ultimately people can share their username/password to a > for-fee protected web site, we would at *least* like to avoid the > possibility that two people could both be logged in at the same time from > two different computers. the use of IP address doesn't seem adequate > since many users come through a router/proxy running NAT.
Hmm, as people are logged in, there must be some kind of session. So the only thing you need is to make sure that there can be at most one session for given user id - in fact, to invalidate any 'older' session(s) while logging in in the 'new' one. -- ( Marcin Kasperski | In any large change, 1/3 will think it is great, 1/3 ) ( http://www.mk.w.pl | will think it is stupid, and 1/3 will wait (Reed) ) (----------------------------------------------------------------------------) ( Porady dla programisty Oracle: http://www.mk.w.pl/porady/porady_oracle )
