From: Robert Cummings on 14 May 2010 09:26 Bob McConnell wrote: > Web servers can only identify computers, not users. You will need > something else to track which user started a specific application on a > particular computer, probably a fingerprint scanner next to the > keyboard. But that won't prevent someone else from replacing the entity > between the keyboard and the chair after they log in. Plus, it is > unlikely that will be useful in a true multi-user environment. There are > simply too many possible ways to get around your restrictions. Isn't it simple to associate a single session ID with a username? User logs in, place username and session ID in active users table and invalidate any others for same user. When user accesses page check session ID against entry in active users table. Richard Quadling has it right. This is not complicated, but it sounds like people are making it so. The user identified themselves via login. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP
From: Andrew Ballard on 14 May 2010 09:30 On Fri, May 14, 2010 at 3:18 AM, Jagdeep Singh <jagsaini1982(a)gmail.com> wrote: > Hi All! > > I am looking for a solution, I want a user to do a single Login only on a PC > . > > E.g. If a User has logged on my website website.com in Internet explorer, > then he cant login on same website in another browser like Firefox etc with > same loginid or another. > > Can I trace MAC address of a single machine to solve this issue? > > Or is there a concept of GLOBAL COOKIE / Cross Browser Cookie which will > work for all browsers in a single machine.. > > I hope You will help me out > > > Regards > > Jagdeep Singh I usually store the sessions in a database table that includes a column for the user identity (username, e-mail address, etc.) and then simply log out any previous "active" sessions any time a new session logs in by deleting (or marking inactive) any rows for the same identity whose session_id does not match the current session_id. That ensures that users can have no more than one active session at a time. Andrew
From: "Bob McConnell" on 14 May 2010 09:47 From: Robert Cummings > Bob McConnell wrote: >> Web servers can only identify computers, not users. You will need >> something else to track which user started a specific application on a >> particular computer, probably a fingerprint scanner next to the >> keyboard. But that won't prevent someone else from replacing the entity >> between the keyboard and the chair after they log in. Plus, it is >> unlikely that will be useful in a true multi-user environment. There are >> simply too many possible ways to get around your restrictions. > > Isn't it simple to associate a single session ID with a username? User > logs in, place username and session ID in active users table and > invalidate any others for same user. When user accesses page check > session ID against entry in active users table. Richard Quadling has it > right. This is not complicated, but it sounds like people are making it > so. The user identified themselves via login. From the series of questions he asked, it was not clear to me what he was trying to do. It sounded like he wanted to allow a user to access a single session simultaneously via multiple browsers, yet not allow another person to hijack that session even if both were using the same computer. Somehow I don't think all of that is a reasonable requirement. Actually, I believe that linking a session to a specific individual without reading a biometric key with every http request is an unacceptable risk. And no, I don't do any banking online. Bob McConnell
From: Richard Quadling on 14 May 2010 10:07 On 14 May 2010 14:47, Bob McConnell <rvm(a)cbord.com> wrote: > Actually, I believe that linking a session to a specific individual > without reading a biometric key with every http request is an > unacceptable risk. And no, I don't do any banking online. > > Bob McConnell That's why my bank has supplied me with a little card reader for my bank card, into which I put my pin number. So they know it is me because of something I have (my card and card reader) and something I know (my pin number). This is pretty similar to the system we use for our online BACS transactions. And yes, I do online banking. -- ----- Richard Quadling "Standing on the shoulders of some very clever giants!" EE : http://www.experts-exchange.com/M_248814.html EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731 ZOPA : http://uk.zopa.com/member/RQuadling
From: "Bob McConnell" on 14 May 2010 10:26
From: Richard Quadling >On 14 May 2010 14:47, Bob McConnell <rvm(a)cbord.com> wrote: >> Actually, I believe that linking a session to a specific individual >> without reading a biometric key with every http request is an >> unacceptable risk. And no, I don't do any banking online. > > That's why my bank has supplied me with a little card reader for my > bank card, into which I put my pin number. > > So they know it is me because of something I have (my card and card > reader) and something I know (my pin number). > > This is pretty similar to the system we use for our online BACS transactions. > > And yes, I do online banking. That only verifies that it was probably you that initially logged in. There is nothing to prevent someone else from knocking you out and using the session once you have completed that step, or hijacking it after you are done. There are any number of ways to intercept your traffic, such as a poisoned DNS server misdirecting your browser through a man in the middle. Even without that, how long would it take someone else to 'discover' your four digit PIN number if they wanted to? Probably less than an hour with only 9999 possible variations. That's nowhere near safe enough for me. Bob McConnell |