[AJReading]

Hi guys.

I've been working on a large project recently that requires a lot of security. My users login to an application and their session id and ip is stored in a database, this is then checked on every restricted page to check for changes (session hijacks) etc.

Basically, I need a robust and graceful way of handling multiple logins with the same user account. Currently if a user is logged in and a second person then logs in with the same details, the first person is thrown out (because the session and ip) have changed. A warning that the user account is logged is needed.

I know there are several ways to approach the problem but I would like to know your thoughts on the best solution.

[dede]

just a thought: won't be better if the second person is restricted to log in if the first one is already logged?

[diabolikal616]

Yeah, that's what I thought. ^

[Mihai Georgescu]

Actually both thoughts are wrong. Here's why: A user could login from computer A ... go to computer B (laptop ?) and try to login there without previously logging out.

So, I think your current application state is correct ... my question is why would you want 2 users to be able to access the same account at the same time ?

[diabolikal616]

He doesn't want two users to login in at the same time. It's for security reasons incase someone else logs in unauthorised. He wants to kick someone out to prevent this unauthorised access.

[mikejonesey]

I think forget IP...

there are many instances where an IP will be the same... on a lan although each local ip is different the ip from the router to the internet is the same, by using your current system you are saying no one in a libary or college or office can use it.

forget ip for security, the only use an ip is so that you have a stored trace back method to any mischiefous network, and can in future block that IP.

I believe SSL and SessionId is the way foward