On 7 June 2010 04:20, Skip Evans <s...@bigskypenguin.com> wrote:
> Hey Ash & all,
> Thanks for that detailed explanation.
> This is a lot of what I was thinking. Cookies can get deleted, etc, and all
> the other things that can toss wrenches into this.
> To clarify, they want to limit a single user to two machines max, but only
> one at a time.
> I'm going to have to explain to them the problems with this and see what
> else they can work out.
> The manual unlock Ash suggests is interesting, and I'll run that by them,
> but I'm thinking they might opt to forgo the limit for now to avoid risking
> pissing off new customers with something that might be more of a hassles for
> them than it's worth.
> Thanks much for your input. This is a lot of good stuff to help me
> articulate a response to the client.
> Skip
> Ashley Sheridan wrote:
>> On Sun, 2010-06-06 at 20:31 -0500, Skip Evans wrote:
>>> Hey all,
>>> I'm familiar with setting cookies in PHP and using REMOTE_ADDR
>>> to get a visitor's IP address (or that of their gateway), but
>>> not quite sure how to implement a robust mechanism that would
>>> limit a user to logging in from only two different machines, a
>>> requirement this client has on the project.
>>> I'd greatly appreciate hearing from people who have done this
>>> or something similar, or suggestions people might have that
>>> would give that oh so familiar, "D'oh!" moment.
>>> I have some ideas sketched out, setting cookies, etc, but not
>>> sure how robust they'd be.
>>> Big Thanks!
>>> Skip
>>> --
>>> ====================================
>>> Skip Evans
>>> PenguinSites.com, LLC
>>> 503 S Baldwin St, #1
>>> Madison WI 53703
>>> 608.250.2720
>>> http://penguinsites.com
>>> ------------------------------------
>>> Those of you who believe in
>>> telekinesis, raise my hand.
>>>  -- Kurt Vonnegut
>> Is this two machines at the same time, or two machines ever?
>> I don't think there's any way you can guarantee either, unless you
>> supply them with some form of closed binary that they are forced to use
>> either instead of or with the browser, i.e. a Java applet, etc.
>> A similar question to this came up on the list not so long ago, and
>> there was no real conclusion at the end other than it can't really be
>> done. Cookies can be deleted, IP addresses change all the time (either
>> deliberately, by some proxy or even by the ISP itself issuing a dynamic
>> IP address), even the MAC address (if you found a way to get at it) can
>> change.
>> About the only thing I've seen that might help was a device made for the
>> Bloomberg stock market system, which was a small credit-card sized
>> object which would read in a random pattern of flashes from the screen
>> and produce a unique ID number which was then keyed back into the
>> system. By relying on a physical dongle you can pretty much guarantee
>> that a user is only on one system, but the project obviously becomes
>> much more costly and complicated.
>> If you do go the cookie route, maybe gather a bunch of information to
>> store on the server against that cookie and the user. If the cookie is
>> not detected the next time the user goes to log in, maybe force them to
>> send an email requiring a manual unlock, and make them give a reason for
>> either why the cookie was removed, or why the computer information has
>> changed beyond the two computer profiles you've got stored for them.
>> It's not foolproof, but might show your client why this isn't something
>> that can be easily done, and is not something that should be decided on
>> lightly, as there are many valid and genuine reasons why somebody might
>> want to use more than two computers (i.e. they had a fire and lost those
>> computers, they rebuilt a computer with a new OS, they upgraded the
>> computer, a computer was stolen and needed to be replaced, they are away
>> from their computer and had to use a public access one, etc. The list
>> can go on and on.)
>> Thanks,
>> Ash
>> http://www.ashleysheridan.co.uk
> --
> ====================================
> Skip Evans
> PenguinSites.com, LLC
> 503 S Baldwin St, #1
> Madison WI 53703
> 608.250.2720
> http://penguinsites.com
> ------------------------------------
> Those of you who believe in
> telekinesis, raise my hand.
>  -- Kurt Vonnegut
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

For dealing with multiple simultaneous logins, the easiest option is
the store the session ID against the user account on the DB and
compare this for each of the secured resources. Make sure that any
login page doesn't automatically login as you could end up in a mad
race as the 2 sessions compete to login and are constantly throwing
the other session out.


Richard Quadling
"Standing on the shoulders of some very clever giants!"
EE : http://www.experts-exchange.com/M_248814.html
EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp
Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731
ZOPA : http://uk.zopa.com/member/RQuadling

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to