A
A
Alex Goncharov2018-09-16 17:59:03
PHP
Alex Goncharov, 2018-09-16 17:59:03

How to prohibit parallel (simultaneous) use of one account by different users?

Use case: there is a paid platform in which you need to prohibit the use of one account by a large (> 1) number of users at the same time. If there is activity of one user, then prohibit other users from entering this account.
How is this functionality implemented? How to prohibit parallel (simultaneous) use of one account by different users? How to understand that the user is not active and give the opportunity to log in from another device? Can be to restrict an input on IP?
Share your practice, colleagues.

Answer the question

In order to leave comments, you need to log in

6 answer(s)
D
Dmitry Alekseev, 2018-09-16
@calirails

How it is implemented in one of my services. During authorization, a token is created, which is then sent with all requests from the user. As soon as another authorization is made from this account, a new token is created, and all previous ones are reset to zero, and requests with this token begin to return a 403 error.

H
hckn, 2018-09-16
@hckn

Just logout if a login from another device is fixed.

S
Sergey Sokolov, 2018-09-17
@sergiks

The logged in user must “lock” the account for himself, not allowing additional logins under the same account.
How to distinguish "this" visit from "others". Definitely not by IP, because the user may be mobile. By "browser fingerprint" or by a set of cookies.
At the next request, mutate the cookie so that copying cookies to another device does not help. Something like CSRF tokens to use with every request.
In the event of a user leaving, provide a timeout, after which any login to this account is allowed.

S
sim3x, 2018-09-16
@sim3x

You need forevercookies and / or identification by additional parameters, for example https://github.com/Valve/fingerprintjs2
But it's better to solve such things in an administrative way - so you don't need to use one account for several people

W
WTERH, 2018-09-16
@Expany

by IP, by cookie creation status, by session, by an additional identifier that you can track, within the current user session. Mass options.
I would use an additional field in the database where I would write 1 after authorization.
And at the authorization stage, I would check this field, if there is 1, a bummer, otherwise we authorize.
But this is just an example.

S
Sergey Sulakov, 2018-09-17
@web-verzus-team

When logging in, store the session_id() in the database. Then you compare the current one with what is written in the database, and if it doesn't match, logout.

$db_session_hash= $db_session_hash ?: get_session_hash($__id);//Хеш "текущей" активной сессии в базе если не получен ранее
      if($db_session_hash!=$_SESSION['auth']['session_hash']){
        unset($_SESSION['auth']);
        add_notification('danger', 'В ваш аккаунт выполнен вход на другом устройстве или браузере.');
      }

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question