How to prevent multiple logins from same user?

Question

How can I prevent a logged-In member from logging into their account (in a new tab or different device) without logging out of their existing session ?

I am working on a client job-board website where logged-in employers can submit a single Job Vacancy via the post_job.php page. The problem is they can Login again from a new tab or device without logging out and post more than their permitted single job posting. What would be the easiest way of preventing employers from doing this ?

I am a comparative newbie and everything I have read so far assumes I am not. So any answers in simple jargon-free terms will be greatly appreciated.

It sounds like you want to prevent multiple job posts, not multiple logins. Before writing a new post to the database, check to see if that user already has one present, and abort if so. — Alex Howansky, Apr 04 '17 at 19:14
You generally don't want to do that because you can easily lock someone out. Maybe it's better to prompt them, "Are you sure you want to login? This will destroy your previous session." — Matt, Apr 04 '17 at 19:16
Yes it would make far more sense to prevent multiple job posts but I thought that would be too difficult for me to accomplish. — inkey69, Apr 04 '17 at 19:38
Any help with preventing a user from creating more job posts than they have paid for would be awesome! — inkey69, Apr 04 '17 at 19:39
When a user opens and submits the "new post" page: check if the user has an active post, if yes then show ask if they want to deactivate their old listing and create a new one — JimL, Apr 04 '17 at 22:03
I assume you mean I could configure my php to check if user already has a job listed, but what if user needs to purchase multiple listings because they wish to post say 5 jobs ?. Is this possible somehow ? — inkey69, Apr 04 '17 at 22:17
For your specific issue you just need to make record in job table 1-1 with user record. this way user can only have one record in job table and you can even check to ensure there is no record for them in job table before posting a new record. which doesn't require preventing user from login from two devices — AaA, Dec 14 '22 at 07:12

score 1 · Accepted Answer · edited May 23 '17 at 10:31

1

Take a look at this it protect you from Cross-Site Request Forgery and you can check if user had logged in. Try: save csrf token to db, then check if users token same that in db... If not: unset cookie and session for this user and return him to Sign In page; If yes: do your stuff

edited May 23 '17 at 10:31

Community

1
1

answered Apr 04 '17 at 21:26

Thanks, I will take a look and try implementing. I basically just need to prevent users from posting jobs they haven't paid for onto the site jobboard because right now they can login and access the job posting page from a new tab whilst logged in at the first tab, if this makes sense. Maybe a better way to prevent each user posting unauthorised jobs but I don't know of one :-) – inkey69 Apr 04 '17 at 21:50
This still will not prevent login from different browser/devices. The question you have linked is explaining a mean of creating CSRF token which by itself doesn't make anything secure by itself, even for that question. however using it correctly might help and in that case even a simple SHA2 hash will do the same. – AaA Dec 14 '22 at 05:50

score -1 · Answer 2 · answered Apr 04 '17 at 19:16

-1

You could save the name of the user in his session on his first login. Then, in your login routine, you could check if you have a session with that username. If yes, you know that the user tries to login twice.

answered Apr 04 '17 at 19:16

fredlahde

631
1
7
7

He is saying even in other devices. You cannot access session in other devices. – Zenel Rrushi Apr 04 '17 at 19:17
No, but if I am logged into my account on my own pc and then login to the same account from another device, without first logging out from my first login, there is no problem and a second login is allowed and I can login to the same account from two different devices at the same time, which I am hoping to prevent from happening... – inkey69 Apr 04 '17 at 19:47
I think you´re meaning cookies, instead of sessions. Cookies are saved client-side, thus you're right, that you can't access them across multiple devices. Sessions, on the other hand, are saved server-side, so you can access all sessions from all devices. – fredlahde Apr 04 '17 at 19:51
Thanks for clarifying. essentially I really need a way to to prevent employers from logging in then posting jobs they haven't paid for. Any help you can give me to prevent this will be awesome! thank you so much! – inkey69 Apr 04 '17 at 20:59
This is completely wrong, session is for every single connected client and doesn't share per browser/device, I can open two instances of broswer and they will not share sesion on server side, I can have two users on two devices login to same account and still have different sessions! Also session is handled by cookies. – AaA Dec 14 '22 at 05:38

score -1 · Answer 3 · answered Apr 04 '17 at 19:17

-1

To do this you need a field in users table example is_login as tiny int (1 or 0). When you the user logs in first time you set the is_login 1. And on every attempt to login when you check username(email) you also check for is_login. If it is 1 you don't login user but output an error message. When te user logs out you set is_login 0.

answered Apr 04 '17 at 19:17

Zenel Rrushi

2,346
1
18
34

Sounds ideal. Can you give me an example of the table row with correct syntax I will need to insert? eg `is_login` TINYINT (1,0), and an example of how I query this from my login.php (and other files) please? Your kind help with this will be truly awesome and invaluable to me, thank you! – inkey69 Apr 04 '17 at 21:04
to do that it would need to write all the code for login and logout and this is not how stack works. try adding some of your code and i can help – Zenel Rrushi Apr 04 '17 at 21:06
I will copy n paste some relevant code for you in a few moments, thanks. But doesn't your idea prevent the user from ever being able to login again in future if they forget to log out and they log in again in future on a new device? say they lose or break that device... – inkey69 Apr 04 '17 at 21:18
for that you can use something like password reset. – Zenel Rrushi Apr 04 '17 at 21:19
I may even be going at this from the wrong angle entirely. Essentially I need a way to prevent employers from logging in then posting jobs they haven't paid for by logging into their account again in a new tab without logging out from the first session. I cannot think of any other way to stop employers posting jobs they haven't paid for. So how How might I implement password reset to work with this in my php ? - Thanks! – inkey69 Apr 04 '17 at 21:33
Here is my login.php script... – inkey69 Apr 04 '17 at 21:38
This has a possibility of locking user out forever. how? user logged in to website and do not logout and close browser, delete cookies, lost or corrupt device, your user is locked forever and need support to unlock it. – AaA Dec 14 '22 at 05:42

score -1 · Answer 4 · edited Apr 05 '17 at 03:31

-1

Depending on your Cookie and Session variables, you can compare the two to keep multiple open logins.

if($_SESSION['<username>']==$_COOKIE['<username>'] && $_COOKIE['<id>']!= $_SESSION['<id>']) {
   //deny access or log out prior session and delete prior requests
}

edited Apr 05 '17 at 03:31

SergGr

23,570
2
30
51

answered Apr 04 '17 at 19:25

Jim Garbe

1
2

Multiple open logins is what I am trying to prevent so that any single user can only log into their account once and have that single session open only, without being able to log into their account simultaneously from another tab or device, just like when you are logged into your online personal banking account, then try logging into your account again from another tab or device and you will be prohibited from doing so – inkey69 Apr 04 '17 at 19:43
Whoops! I meant to end that sentence with ".. to keep multiple logins from happening." – Jim Garbe Apr 07 '17 at 03:31
Session and cookies are both client dependant. if you login from different devices, cookie and session are both different! A session is handled by a cookie in browser, that is if not touched PHPSESSID cookie! [Session ID](https://www.php.net/manual/en/function.session-id.php) – AaA Dec 14 '22 at 05:45

AaA · Answer 5 · 2022-12-14T06:42:04.320

Why would you need this?

It is a security requirement to make sure actions made by an employees on a web application are originated only from a single device/system at any time. This is to make forensic job in case of incident easier.

How it should work

Not allowing a user to login from second decivce is a serious problem as it is possible that a hacker logged in to users account and then user will not be able to login anymore. It is also possible that user lost session (clear cookies) and evidence of login on server is orphaned, meaning client does not have a way of reaching their account without help of someone from server (support, server admin...)

Better solution is to invalidate previous sessions when a new login happens. This will allow recovering from expired session, change of device, or lost cookies. With this solution if a hacker log in using same username, current logged in user will know as soon as they try to complete any action, which will fail due to invalidated session.

How to implement it

You will need to create a unique login ID (ULID) during user login. A copy of ULID is stored with user session ($_SESSION) and another copy need to be stored permanently linked to username, But it cannot be stored in session or cookie since it is per device/browser (Sessions are handled by cookie).

You can store permanent copy of ULID with user record in database, or store it in a file together with username. PHP doesn't have application level variables but it is possible to use linux shmop too, however it requires a linux system and if the server restarts, all sessions will be invalidated (not desired).

For high traffic systems, a file or directory is a better choice. In case of file use something like ini file format username=ULID and in case of directory use username as filename and store hash inside the file.

every time user sends a request to server, check the hash stored in their session and compare with permanent version, if they are same, continue and if they are not, inform user that their user is just logged in from different device and this session is invalidated, and then redirect them to login screen.

Now there are two scenarios, that is:

It is user who logged in to new device and their old session is invalid, which is fine
A hacker just logged in using different device, since user is notified they can login and change their password or seek assistance from application support.

Note

ULID can be even MD5 or SHA1 of a random number + time + username is enough since it is only handled on server side and client doesn't have access to it or you can use a CSRF token if you wish.
ULID stored permanently serves no purpose when there is no sessions, since there is nothing to compare it to.
To avoid hash collision on high traffic websites, use newer hashes such as SHA256

How to prevent multiple logins from same user?

5 Answers5

Related