Preventing multiple logins

I hope you can help me solve a tricky problem. I have a basic login script that i use to secure a website for members only. To solve the problem of individuals sharing password to access the service i am trying to come up with a php (perhaps using mysql too) script to prevent other individuals accessing the service from another computer if the account is already being used by another user ie. one user logged in at a time with an individual username and password

I hope you can all help, as i am now tearing my hair out

regards

bob

Although I've never tried anything like this yet, I'd suggest assigning and storing a few variables in the database:

1. Session or Cookie variable.
2. The user's IP address.
3. Date/Time of last activity.

When the user logs in, store his IP address along with the corresponding session/cookie variable in the database in the same row as his unique identifier (e.g. his user name or a unique user id number). Everytime a user logs in, check the session/cookie variable. If it is still valid (i.e. hasn't timed out) and if his IP address corresponds with the one in the database, he's logging on from the same terminal so allow him access.

What happens when another user tries to login using the same username & password before the first user has logged off? Since the session/cookie variables have already been set by the first user and stored in the database, check the IP address of this new user. Since it will be different from the IP address in the database, deny him access.

To ensure that this code properly works, you'll need proper functions to nullify the session/cookie variables as well as the IP addresses at proper times. One time is when the user logs out. Another instance is through a time out function based on when the user was last active (e.g. 1 hour of inactivity and the system logs you out)

Like I said at the beginning, I've never actually tried this before but this is how I'd do it. Still, I'd wait and see what others have to say.

Yeah, something along those lines should suffice, pocketsized. I've got something similar in production, though I just log out the earlier session if a new session is opened (say I was logged in here at work and then drove home and tried to login before my original session expired -- wouldn't want to lock myself out). Rather than storing IP addresses, I also just store the session id in the database and compare it against the cookie on the client machine. If my IP changes mid-session for whatever reason, I can still continue my session without interruption.

the problem with that idear is! that if the user is behind a proxy ei a school. only one user from the whole school can be logged on.

Right, that's why you use session_id and a cookie instead of IP address. We're behind a proxy at my work and this system works like a charm.

my point