Multiple Logins and Sessions


#1

Dear friends, I just noticed that i can login to my app with two different browsers. I don’t understand why this is allowed or how to stop it. I can see that PHP sesions and browsers are not helping us contain our users. Logout forms work but closing the bowser offers no way of knowing that the session has ended. I wish browsers were programmed to send a notice to the server that active sessions are being terminated.

Anyway, how can one prevent multiple logins?

i imagined a loggedin column in a database but that can’t work because of the browser closing situation.

Now i imagine that a members table should be renamed to memberschecklist table. Thus, i can see if you are a valid member with a valid password. If you are a valid member, then proceed to execute a new database query to a new table named membersloggedin. I imagine that we can store the loggedin members by username and perhaps a token. If a second login is attempted, then the username will already be in the loggedin table. Thus, a member can be challenged to delete this entry. However, this means that i have to continuously check the loggedin table on every restricted page.

Is there a professional method to detect multiple logins and stop the second login? is it possible to use JSON to alert that a browser has been closed?

Thank you.


#2

I’ve never come across a use case like this. Why can’t a user be logged in on multiple machines/browsers?

Also you can never trust a browser to do anything you assume it will so relying on the client to tell you they are done is not going to work.


#3

Every web page I know allows logins from multiple devices. Your’s should too.

You should store the user id (auto-increment column) value in a session variable or any related stored data so that the username can be edited at any point without breaking everything.

Yes, you should query on each page request to get the current user information/user permissions, so that any changes made to them (edits, blocking spammers, promoting/demoting levels) take effect starting on the next page request after the change is made. If you are storing general user information/user permissions in session variables, they won’t be updated until the user logs in again. Are you going to ask a spammer to log out and back in again to stop them from being able to access your site?


#4

I can answer that. In the case you have a membership/subscription website there can be a problem of password sharing. While you cant stop someone from sharing their password, you can make is so only one person with that login can use the site at one time. In a nutshell, you store the IP on login and set that IP to a session. You then do checks on page loads comparing the session IP to the DB IP. If they dont match, you unset the login session forcing a logout.


#5

Hello friends,

Benanamen hits the bullseye here. I am, in fact, building a subscription based nature website. I ask you to pay me to view my photos, watch my videos, listen to audio and read my stories and species data. Basically, an online book that can be updated. I don’t want to facilitate password sharing. Benanamen thinks like a Business major :slight_smile:

Most sites allow it because they either generate revenue via advertising or they are free and ask for donations. I am being bold and stupid by asking for membership fees/subscriptions.

I just don’t like the idea of sharing passwords. Technology doesn’t help me here but i think that it is possible to allow only one user per username. I was hoping maybe someone knows of a better method.

Thank you for all of the comments. I truly appreciate the expertise and guidance.


#6

Ok that’s similar to what Spotify is doing to prevent account sharing. You need something better though. A lot of people may share an IP (think schools, companies or even a home nat).


#7

login is now working but it is not yet secure. I’m still reading and coding.
Yesterday, i added a form token which i compare the hash to a session variable.
I have yet to create a change username form or work in code to handle this matter.

phdr just helped me with a glob function so that members can change my default background (desktop) photo:

i also posted for help with the titlebar because i originally translated into German using files instead of a database. I just learned how to use a database and pdo last month. Remember?

When i first came here, astonecipher responded to my questions like i was building a porn site. I was a little irritated but i really am building a nature site. I dissect and identify insects by myself, i photograph all nature and measure everything that i can get on mm paper. I’ve spent alot of money on cameras and lenses for my work. I work up to 16 hours per day trying to make this dream come true. I cannot afford to hire programmers right now. I’m on my own. I always hope that i can get help from the internet whenever i am in need of guidance. PHPhelp is valuable to me.

Anyway, i really am building a nature site and it is membership/subscription based business model. I want to figure out how to limit one login per username.


#8

so expanding on this subject, following is a rough draft of some database tables for members:

members table
id [int(12)]
admin_id [varchar(64)] = any_name . id . pin . randombytes(8)
username [varchar(32)]
password [varchar(?)] = depends on the hashing algorithm
pin_number [int(8)] = customer pin number for verification
reg_date [registration datestamp]
reg_time [registration timestamp]
exp_date [registration expiration date]
first_login_date [date of first login]
first_login_time [time of first login]
active_members table
id
login_id [like a token, which can be used to delete session?]
ip
browser
datestamp
timestamp
admin_id
log_members table
id
brutelog [login attempts logged to detect brute force]
brutelock [flag to lock account for 15 minutes]
brutelocktime [timestamp for brutelock]
brutelockexp [timestamp to expire brutelock]
admin_id

i am certainly not a database designer, so i wonder if some experts can offer opinions and suggestions. I’ve tried to explain the logic with comments but i can clarify any material. I don’t know how this is accomplished in the real world. I just imagine the problem and try to conjur a solution that makes sense.

I think that we could use a login id or maybe just the admin secret customer_id to destroy an active session, yes?


#9

members table
Not sure you need admin_id and pin_number. Isn’t the password enough to log in? Why the pin?

Date/time fields can be combined into one datetime field. Ie reg_date and reg_time -> registered_at

Password field: if you set up password_hash, password_verify and password_needs_rehash correctly then your app will auto update password hasheson login when PHP changes the recommended hash algo. This means you do not know the length of the hash output. I’m quite confident the recommended length is 255

I’d skip the active_members table, if a member can only have one session then you can add the session id to the members table (active_session or similar). If you add a last_login_at you can easily check if the new login/session is newer than the old one and replace the data in the db. If the previous session then returns to the site it can be logged out as the session I’d it presents no longer is in the members table.

General tip
id fields: set as unsigned to only allow positive numbers and effectively double the number range you can store


#10

Originally, i wanted to use a customer id number as your session variable for userid instead of a username. Then, i came up with a much better idea to prevent people from knowing your username. Thus, admin_id may not be used. pin was meant to be a security token but i recently learned about JSON web keys. I may use the JSON method for authentication.

i will skip the active members table and follow your advice.

do you have any other tips? i have never seen a professional login table. I just imagine what i need and try to create a database for this process. I often wonder what pro code looks like. For example, what does Google use for a login database? I was actually happy that someone released that Apple code last year. I was able to see some pro coding methods, which is better than university material in my opinion.


#11

If you could provide some info on what youre trying to protect against it would be much easier to recommend something. For all intents and purposes a username/password login (with a csrf token), password validation against a hash stored in the db, and regular php sessions is good enough for a normal use case


#12

Hi Jim, i can’t say that i agree with barebones protection methods. I believe that all websites should maintain a bank level security system. I grow tired of how easily hackers have things these days. I work very hard to document nature and i do not want to make a hack easy. One skilled hacker and all of my photos are on a torrent site somewhere. I know that there are highly skilled hackers but some things should be hardened to make it difficult for the less skilled hackers. For one things, showing usernames publicly makes it easier for hackers to start trying to guess a password. I will not show usernames as they are login purposes only. I decided to add a ‘display name’ that can be shown instead. Thus, username=john.20-19 password= sha3-256 string diplayname=Silly Willy. Now try bruteforce my db with Silly Willy + password. Much better protection for my users.

However, i do not know of better hardening methods. I know only about the things that you just mentioned plus keeping my code outside of the root. I’ve tried keeping everything outside of the root but i can only get images to show by using datauri. I can’t even link a video outside root right now.

Anyway, i suppose that i will have to make a go of it with minimal protection until i can learn of better methods.


#13

Yeah but if you use password_hash/password_verify then the user passwords should be considered safe. If you use the regular php sessions hen sessions should be considered secure.

This is not (by far) the same as your images being safe though. For one a legit user may log in and dump your site. Or a hacker may abuse flaws in your server os, applications or configurations to gain illegimate access.

As long as you follow up to date guidelines when coding (phpdelusions) and have a professional set up and maintain your production environment Im not sure what else you can do. You will obviously still have to trust your users, and your server, and your hosting provider, and your code…


#14

very nice post, Jim. You speak the truth:

For some reason, i forget about OS flaws. Thanks for reminding me. I have no power over this scenario. I guess that my code is the one thing that i need to focus on the most. I certainly do not wish to make any novice mistakes. However, i am a member of phphelp, so i think that i am surrounded by very knowledgeable people. As i said before, Jim, you are very knowledgeable and i ALWAYS appreciate your input.

Thank You :smile:


#15

Jim, i was thinking about images last year and i actually came up with a few ideas. One: i’ve seen sites where images are split into 3, 6, 9 suares and patched together for display. I don’t care much for this method but it would be a pita for normal (non technical) people.

my idea: create a table of width and height image dimensions and define each pixel color that defines the image. Then display those pixels on the screen. Right-click would yield nothing as it is not an image. Problem for me is that i’m not an advanced programmer, so this is not feasable right now. I like the idea.

I’ll move on from this topic now. Thank you for all of the help with this subject.