Oh yes, changing IPs. I hear that WebTV terminals may have different IP
addresses per each HTTP request. I suppose the specific behaviour you want
on the event 'user A at station A is authenticated. user A at station B
attempts to authenticate'. I handle that by expiring the original session
and keeping the new one. You could take Robert's advice and force the user
A at station A to logout first but that's a management headache. I use my
SQL database to enforce timeouts. If you examine this PostgreSQL SQL code
you'll notice that while the session records are stored in UserSession
that checks for *valid* sessions are done agains the ValidSession view.
That view ensures that stale sessions are not considered. The full
database including schema may be downloaded from my home page at
http://www.greentechnologist.org/downloads/jbj-0731.tgz. That's a
reference to *one* possible implementation anyway.
CREATE TABLE UserSession (
SessionID INTEGER
PRIMARY KEY,
SessionDigest TEXT
CHECK (length(SessionDigest) IN (40, 30))
NOT NULL,
UserId INTEGER
NOT NULL
UNIQUE
REFERENCES Users (ObjectId)
ON DELETE CASCADE
ON UPDATE CASCADE,
Created TIMESTAMP
NOT NULL
DEFAULT current_timestamp,
Modified TIMESTAMP
NOT NULL
DEFAULT current_timestamp
);
-- Uninitialized and stale sessions don't appear
CREATE VIEW ValidSession AS
SELECT s.*,
u.Username AS activeuser
FROM UserSession AS s,
ValidUsers AS u
WHERE s.UserId = u.ObjectId
AND s.Modified >= current_timestamp - '15 minutes'::interval
AND s.SessionDigest != ''::text;
Robert Landrum <[EMAIL PROTECTED]>
08/01/2002 02:28 PM
To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
cc:
Subject: Re: [Newbie Q] Cleanest way to implement one logon per user?
On Thu, Aug 01, 2002 at 03:08:40PM -0400, Baljit Sethi wrote:
> Hello.
>
> I am hoping someone can point me in the right direction.
>
> What I want to do is limit client logons to one logon per username ie
while
> a client has a session open, he/she cannot logon to the website from
another
> terminal.
The problem isn't determining when they've logged in, but determining when
they've logged out.
While it may be possible to write a record to the db that contains
username,
password, and IP address, it does not gaurentee that the user's ip address
will not change mid session. (cable modem disconnect and reconnects with
new ip,
transparent to the user.)
The short answer is, you can't. The long answer is that you can, but it
takes
way more work than it's worth.
The only way I've seen is to set a cookie (encrypted) on the client's
machine
and flag the user as logged in. If the user tries to log in again (from
anywhere), it rejects it. Only if the original client connects and clicks
logout (and the cookie still exists) does it actually remove the flag (and
the cookie).
The drawback here is that if any user ever deletes their cookies before
logging out, they're screwed, and will call asking you to fix it.
Good luck,
Rob
