This will work in MOST cases, but people that are visiting from behind a proxy (or AOL), might appear to come from different IP addresses within the same session.
Since you are attempting to restrict your application to a single user per use, you have a couple of directions to go in: 1) Store all the sessions in the database (you can use this http://framework.zend.com/manual/en/zend.session.savehandler.dbtable.html) Then at each login, first authenticate the user, remove any sessions for that user in the database table, then store the user/identity to Zend_Auth::getInstance()->setIdentity() The benefit here is that you will validate at authentication time, and expire all rouge sessions then. This will cost you 3 hits at auth time to the db, but that's fairly trivial. 2) The other option is to store the authenticated session id into the user's table in the user row, and on each request check against what is stored. If the session id, username/identity and stored session id don't match up, expire the session. Hope this helps, Ralph On 3/18/09 9:32 AM, "Mike van Lammeren" <[email protected]> wrote: > Store the IP with the username and password, then check for all three. > When the next person logs in with that username and password from a > different IP, then associate the new IP with that username and > password, effectively kicking out the first person, forcing them back > to the login screen with an error message, etc. > > > On Tue, Mar 17, 2009 at 10:07 PM, Mr. Eric Eugene Naujock > <[email protected]> wrote: >> I am not sure that is what I am looking for. >> >> This is the scenario that I am looking to resolve. I have two people at two >> different computers and they both are trying to use the same account that >> was paid for by 1 person. I am looking for a way to discover that two people >> on two different computers are trying to use the same authentication to gain >> access to an account. >> >> So far from what I am seeing I have had two different people log in as 1 >> user on 1 paid account. I need to prevent that either by being able to deny >> the second connection or disconnecting the old connection and allowing the >> new one to replace it. Effectively destroying the old session. >> >> I am using Zend_Auth for database accounts (Username and password) and >> OpenId accounts also using Zend Auth with OpenId. >> >> Right now I have seen in my Tracking software two people using a single >> username logged in and before I expose the accounts to the public I need a >> way to manage that. I am attempting to use as much of the Zend framework >> throughout the system as I can. >> >> On Mar 17, 2009, at 4:32 PM, Ralph Schindler wrote: >> >>> If you are using Zend_Auth, check out the following methods: >>> >>> $auth = Zend_Auth::getInstance(); >>> >>> $auth->hasIdentity(); >>> >>> HasIdentity() will return true if you have once already authenticated the >>> user with $auth->authenticate(), and a proper adapter. >>> >>> Zend_Auth by default uses Zend Session, so it should take care of the >>> problem for you. >>> >>> -ralph >>> >>> >>> On 3/17/09 1:42 PM, "Mr. Eric Eugene Naujock" <[email protected]> >>> wrote: >>> >>>> Is there a way to track sessions to prevent a user for creating an >>>> account a logging multiple times at once. I am not seeing anything >>>> that allows me to hook in and have the sessions check to see that >>>> account johndoe is not logged in more then once at one time. How would >>>> I go about doing this with zend _auth? >>> >>> -- >>> Ralph Schindler >>> Software Engineer | [email protected] >>> Zend Framework | http://framework.zend.com/ >>> >>> >>> >> >> -- Ralph Schindler Software Engineer | [email protected] Zend Framework | http://framework.zend.com/
