Coldfusion Login Technique

I have my own customized login process for a ColdFusion application.  I basically create some session variables to indicate the user is logged in and to share these user variables throughout the "session".  The user is logged in as long as the session variables exist.

I would like to now check to see if  a user is already logged in at another location.

I'm not sure what the "gold standard" is here? Or any?

I could have a login table and store the userid and the IP address. When a user logs in I could test to see if the table has an entry for that user for another IP?  If so, throw up a window and if the user says "continue", I delete the row for the other address?

Am I on the right track here?  I'm going for the current  user logging in bumps anyone else out.

Thanks in advance,
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I wouldn't prompt them to continue just invalidate the first session.
I usually store session id's as well as userid, IP and a timestamp and find this works well with the following. This allows you to check what the latest session available is (at the start of each script) and throw an exception if they're accessing an old session (i.e. force them to log in again).
If there's conflict between session i.e. continual bumping, then it's probably moreso a security issue with the application (multiple users using the same login?).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
> I could have a login table and store the userid and the IP address. When a user logs in I could test to see if the table has an entry for that user for another IP?

Actually, if the user can only have one login location, you don't need a new table.  Just add a column to the user's table itself.   LoginSessionID varchar(50)

Each page view, just test to see if the user's session ID matches the one you entered into LoginSessionID when the person first logged in.  

Now, resolving a second login.   The challenge is, how do you know if a login that doesn't match the session ID is a new login or did the person close the browser at the previous location and is trying to login again 10 minutes later?   I suggest on login, you replace the loginSessionID, this will effect the FIRST login and allow the second login.    So, the message would appear on the FIRST user's screen (if it still exists) - you have logged in on another computer, if you login again, you will be logged out at your other location.

This will have the added benefit of having your two users who are cheating by sharing the same ID, knocking each other off.   But if the first user simply walked away from his work computer and is attempting to login at home, everything will be fine.  He will be logged off work and allowed to continue at home without any messages appearing on his home computer.

hefterrAuthor Commented:
Thanks to both for your help.
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

hefterrAuthor Commented:
My comments got lost and I hope the poins were split.  What I lost in my post was :

I understand your technque.  You are basically my proposal but using session id instead of IP address as it is a better indicator of "location".  Although short lived, I too am requiring the user to relog in after a session ends.

You answer was very similar to gdemaria but you add IP address and timestamp - and I don't see how that is used or adding benefit.

Thanks again,
I think session ID is a better choice because IP address will not guaranteed only one login.  Behind a company firewall, you can have hundreds of computers appearing to the internet from the same IP address.   Sesssion ID will be unique between different computers, but will allow a user at the same computer to have multiple logins if he wishes to be working on different pages.  The ensures it is the same user.

Timestamp could be interesting information to have, just so you know when they last logged in.  

Thanks hefterr,

I simply collect IP address for security reasons but it's not something you have to include. Basically we have different functions available in the application depending on location i.e. secure network (intranet or VPN) allows super user functions to be maded available, remote only allows essential functionality.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ColdFusion Language

From novice to tech pro — start learning today.