[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 214
  • Last Modified:

prevent same login from different computers or IP addresses at the same time

Hi Experts,

How do I prevent  users from using the same login at the same time from different computers or IP addresses?!

I'm using Coldfusion  MX 7 and an Access database.
0
techman36
Asked:
techman36
  • 4
  • 3
1 Solution
 
gdemariaCommented:
You can keep track of what users are currently connected.   You can create an extra field in the user's table called something like  isConnected.

When the user logs in, update isConnected to true and when he logs off you change it to false.

The problem is that many users will time-out or just close their browsers.   So you need some mechanism to clean-up and change the flag.   The best way to do this is using Application.cfc instead of application.cfm.   The onSessionEnd function will fire when the session expires, in this function you can set the flag to false.

0
 
Scott BennettCommented:
What you need to do is save the IP in a column in the users table when the user logs in, then check it eveytime they hit a page. Then if they log in on a second computer it will update the column again and the next time the first computer hits the site that session gets logged out because it's IP does not match the ip in the database.
0
 
Scott BennettCommented:
in the previous post I explained how to expire the first computers session if a second session on another IP starts. If you want to make it so that a second session cannot start until the first one logs out.. then you will still need to track the ip when the user logs in, but you will need to block the second computer from logging in if there is an IP in the column that doesn't match the computers IP. Then in your logout and onSessionEnd functionality, you clear the databse column that has the ip so the user can log in from another computer.
0
Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

 
Scott BennettCommented:
If you have users that might be on several computers on a LAN that may appear as comming from 1 ip and you want to make sure they are only using 1 of those computers at a time,  then you can use the same logic but use a UUID that you place in their cookies and in the database and compare those values instead of using IP.
0
 
rob_lorentzCommented:
we keep session data in a table in our db. we attach the contact/user id to the session. if they login again we 'kill' any session associated with that user ID, then attach the user id to the current session. This prevents the situation of user having to wait for a session to expire.
0
 
gdemariaCommented:
I like Rob's approach, really clean.

The primary functional difference is which user's session "wins."    In Rob's approach, the last user to login takes over the session and kills the first one.  In SB & my approaches, the 2nd user is locked out.   Accepting the last one logged in may be the best for the user experience in case the user has moved to another location (gone home after work) and, as Rob said, it also prevents having to wait for session time-outs which can be a huge pain.

0
 
gdemariaCommented:
Oh, I was going to add, that I believe it can be implemented just by adding a sessionID variable to the user's table.   And instead of blocking a new user, changing the sessionID value to the new one, thus killing the first session.   I think the separate session table is beneficial if you track a session prior to login.   If that's the case, the seperate session table would be better.
0
 
Scott BennettCommented:
>>>" In SB & my approaches, the 2nd user is locked out. "

If you read my comments carefully you will see that I actually gave suggestions for both scenarios.
My first comment explained how you could make it so that the most recent computer the user logged in from wins, and the other computer would be expired the next time they attempt to log in. The second comment explained how to block any log in attempts if the user is already logged in. In my third comment I suggested that you could use a UUID (you could also use their sessionid,cftoken, or any other unique identifier) instead of IP (I had originally posted the explainations with IP because that was the question but a UUID or sessionID would be better because it ensures you are dealing with a particular machine).

I usually use the first method I suggested (logging out the session on the first computer when a users logs in on a second computer) because I have found that to be less frustrating for users.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now