Multiple Login in a single PC should not be possible
in [General]
|
From: Karl DeSaulniers on 22 May 2010 18:19 On May 22, 2010, at 3:37 PM, Robert Cummings wrote: > This was beaten to death last week. The solution is not possible > because it's not about restricting a single user from logging over > multiple machines, it about restricting a single computer to only > one session (so running IE, Firefox, Opera, Safari on same computer > with different users would not be allowed). > > Cheers, > Rob. > > > Karl DeSaulniers wrote: >> Yeah. Don't be concerned about which browser. Just set up an >> active users table in your database that gets checked at login. >> Then it doesn't matter which machine or browser. Unless you know >> that the computers are giving the true ip, there is no way to >> keep a user from logging in with two account on the same >> computer. Otherwise add the active users ip to the active users >> table and check it as well on login >> Easy peasey >> Karl >> Sent from losPhone >> On May 22, 2010, at 12:34 AM, Gautam Bhatia >> <mail2gautambhatia(a)gmail.com> wrote: >>> On Friday 14 May 2010 12:48 PM, Jagdeep Singh wrote: >>>> Hi All! >>>> >>>> I am looking for a solution, I want a user to do a single Login >>>> only on a PC >>>> . >>>> >>>> E.g. If a User has logged on my website website.com in Internet >>>> explorer, >>>> then he cant login on same website in another browser like >>>> Firefox etc with >>>> same loginid or another. >>>> >>>> Can I trace MAC address of a single machine to solve this issue? >>>> >>>> Or is there a concept of GLOBAL COOKIE / Cross Browser Cookie >>>> which will >>>> work for all browsers in a single machine.. >>>> >>>> I hope You will help me out >>>> >>>> >>>> Regards >>>> >>>> Jagdeep Singh >>>> +91 9988009272 >>>> >>>> >>> hi Jagdeep, >>> I am not really sure , i got your question right but >>> there is something you can try if this helps, in the mysql dbase add >>> field like "loggedIn" , which can be true/false, when person logs in >>> change it to true , so even if the person is using other browser, >>> you >>> can check the value from dbase, if user is already logged in or >>> not. If >>> that makes sense to you , good luck. >>> >>> regards, >>> Gautam Bhatia >>> >>> -- >>> PHP General Mailing List (http://www.php.net/) >>> To unsubscribe, visit: http://www.php.net/unsub.php >>> > > -- > E-Mail Disclaimer: Information contained in this message and any > attached documents is considered confidential and legally protected. > This message is intended solely for the addressee(s). Disclosure, > copying, and distribution are prohibited unless authorized. Sorry for the top posting. Ah, I see. Don't mean to beat a dead horse. I still stand by my suggestion though. If you record the username and ip in an active user table, then set a cookie on the computer that is cross referenced with the ip and username, you will have a little better check system. Also, if you set a fall back that say checks to see if the cookie is being reset or set for the first time or if the cookie has been deleted, you can kick them. Set the cookie to expire and be reset while in session to check to see if it changes while the user is logged in. Basically, if you check for log-in status from the active user table and cross reference the ip, it will probably cover say 75% of the cases. Using the cookie and putting strict requirements for the cookie to have been pre-existing with the right ip or if it is being set for the first time, you will have a little more control. Plus you could create a blob of ips that is referenced with each username that can be cross referenced to see if a user has multiple ip sets or if two users have a similar ip. Thus a little more granular control on the computers accessing your site. But like having an expensive painting in your house, if the thief is going to put that much work in to get it, chances are they will. Just make sure its insured. :) Karl DeSaulniers Design Drumm http://designdrumm.com
From: Karl DeSaulniers on 22 May 2010 21:39 On May 22, 2010, at 7:43 PM, Brandon Rampersad wrote: > These third world internet providers are screwing up the IP address > system with their shared IPs which defeats the entire purpose of an > IP address. > > On Sat, May 22, 2010 at 6:19 PM, Karl DeSaulniers > <karl(a)designdrumm.com> wrote: > On May 22, 2010, at 3:37 PM, Robert Cummings wrote: > > This was beaten to death last week. The solution is not possible > because it's not about restricting a single user from logging over > multiple machines, it about restricting a single computer to only > one session (so running IE, Firefox, Opera, Safari on same computer > with different users would not be allowed). > > Cheers, > Rob. > > > Karl DeSaulniers wrote: > Yeah. Don't be concerned about which browser. Just set up an > active users table in your database that gets checked at login. > Then it doesn't matter which machine or browser. Unless you know > that the computers are giving the true ip, there is no way to keep > a user from logging in with two account on the same computer. > Otherwise add the active users ip to the active users table and > check it as well on login > Easy peasey > Karl > Sent from losPhone > On May 22, 2010, at 12:34 AM, Gautam Bhatia > <mail2gautambhatia(a)gmail.com> wrote: > On Friday 14 May 2010 12:48 PM, Jagdeep Singh wrote: > Hi All! > > I am looking for a solution, I want a user to do a single Login > only on a PC > . > > E.g. If a User has logged on my website website.com in Internet > explorer, > then he cant login on same website in another browser like Firefox > etc with > same loginid or another. > > Can I trace MAC address of a single machine to solve this issue? > > Or is there a concept of GLOBAL COOKIE / Cross Browser Cookie > which will > work for all browsers in a single machine.. > > I hope You will help me out > > > Regards > > Jagdeep Singh > +91 9988009272 > > > hi Jagdeep, > I am not really sure , i got your question right but > there is something you can try if this helps, in the mysql dbase add > field like "loggedIn" , which can be true/false, when person logs in > change it to true , so even if the person is using other browser, you > can check the value from dbase, if user is already logged in or > not. If > that makes sense to you , good luck. > > regards, > Gautam Bhatia > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > -- > E-Mail Disclaimer: Information contained in this message and any > attached documents is considered confidential and legally protected. > This message is intended solely for the addressee(s). Disclosure, > copying, and distribution are prohibited unless authorized. > > > Sorry for the top posting. > > Ah, I see. Don't mean to beat a dead horse. > I still stand by my suggestion though. > If you record the username and ip in an active user table, > then set a cookie on the computer that is cross referenced with the > ip and username, > you will have a little better check system. > > Also, if you set a fall back that say checks to see if the cookie > is being reset or set for the first time or if the cookie has been > deleted, you can kick them. > Set the cookie to expire and be reset while in session to check to > see if it changes while the user is logged in. > > Basically, if you check for log-in status from the active user > table and cross reference the ip, > it will probably cover say 75% of the cases. Using the cookie and > putting strict requirements > for the cookie to have been pre-existing with the right ip or if it > is being set for the first time, > you will have a little more control. Plus you could create a blob > of ips that is referenced with > each username that can be cross referenced to see if a user has > multiple ip sets or if two users have a similar ip. > Thus a little more granular control on the computers accessing your > site. > > But like having an expensive painting in your house, > if the thief is going to put that much work in to get it, chances > are they will. > Just make sure its insured. :) > > > > Karl DeSaulniers > Design Drumm > http://designdrumm.com > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > -- > A Brandon_R Production Duley noted, but the combo of tracking ips and cookies on computers should still work. If you are checking the ip against ALL users, if two users in the active database have the same ip, then whichever has the older timestamp stays and the new one gets booted. And if your periodically checking and reassigning cookies with the ip stored, it should work. Maybe if you have a situation with multiple computers having the same ip, store the ips in a blob and then check their system info against eachother. If its the same system info, boot them. Something like using the browser's user agent identifier $_SERVER['HTTP_USER_AGENT'] with the aformentioned checks and balances. I could stand corrected, and have not had to implement such parameters, but for what they are doing, it should work. Now if you created the interface in Flash, you could control this very easily. But that is another discussion for another forum. Karl Karl DeSaulniers Design Drumm http://designdrumm.com
From: Robert Cummings on 22 May 2010 21:40 Karl DeSaulniers wrote: > On May 22, 2010, at 3:37 PM, Robert Cummings wrote: > >> This was beaten to death last week. The solution is not possible >> because it's not about restricting a single user from logging over >> multiple machines, it about restricting a single computer to only >> one session (so running IE, Firefox, Opera, Safari on same computer >> with different users would not be allowed). > > Sorry for the top posting. > > Ah, I see. Don't mean to beat a dead horse. > I still stand by my suggestion though. > If you record the username and ip in an active user table, > then set a cookie on the computer that is cross referenced with the > ip and username, > you will have a little better check system. > > Also, if you set a fall back that say checks to see if the cookie is > being reset or set for the first time or if the cookie has been > deleted, you can kick them. > Set the cookie to expire and be reset while in session to check to > see if it changes while the user is logged in. > > Basically, if you check for log-in status from the active user table > and cross reference the ip, > it will probably cover say 75% of the cases. Using the cookie and > putting strict requirements > for the cookie to have been pre-existing with the right ip or if it > is being set for the first time, > you will have a little more control. Plus you could create a blob of > ips that is referenced with > each username that can be cross referenced to see if a user has > multiple ip sets or if two users have a similar ip. > Thus a little more granular control on the computers accessing your > site. > > But like having an expensive painting in your house, > if the thief is going to put that much work in to get it, chances are > they will. > Just make sure its insured. :) It doesn't work that way though because the session cookie is only valid for the browser to which it is issued. A cookie issued to a Firefox connection is completely disjoint from a cookie issued to a Chrome session or an Opera session or (eeek) an IE session. Additionally, you can't record the IP address since many universities and other more populated points of connection use IP sharing. The problem goes further, imagine you could get a hold of the MAC Address... there's nothing stopping someone from spoofing it or running a virtual machine within the same machine to open another connection. I hope this helps crystalize the issue :) Cheers, Rob. -- E-Mail Disclaimer: Information contained in this message and any attached documents is considered confidential and legally protected. This message is intended solely for the addressee(s). Disclosure, copying, and distribution are prohibited unless authorized.
From: Robert Cummings on 22 May 2010 21:46 Karl DeSaulniers wrote: > > Duley noted, but the combo of tracking ips and cookies on computers > should still work. > If you are checking the ip against ALL users, if two users in the > active database have the same ip, > then whichever has the older timestamp stays and the new one gets > booted. > And if your periodically checking and reassigning cookies with the ip > stored, it should work. You cannot use the IP, it is not unique to a single computer. Many companies, universities, and government departments have a small pool of public gateway IPs through which all users travel. > Maybe if you have a situation with multiple computers having the same > ip, store the ips in a blob and then check their system info against > eachother. And the same computer using multiple browsers? Also, in government there's usually a standard configuration shared by thousands of users. > If its the same system info, boot them. Something like using the > browser's user agent identifier $_SERVER['HTTP_USER_AGENT'] with the > aformentioned checks and balances. Again not possible, see above. > I could stand corrected, and have not had to implement such > parameters, but for what they are doing, it should work. They will not. Also, all of the above information is spoofable. > Now if you created the interface in Flash, you could control this > very easily. But that is another discussion for another forum. Yeah, but flash is proprietary and I for one hate hitting flash websites. I surf with flashblock and I'm amazed how many sites don't have an alternative homepage for non flash users. Cheers, Rob. -- E-Mail Disclaimer: Information contained in this message and any attached documents is considered confidential and legally protected. This message is intended solely for the addressee(s). Disclosure, copying, and distribution are prohibited unless authorized.
From: Robert Cummings on 22 May 2010 21:49
Karl DeSaulniers wrote: > On May 22, 2010, at 7:43 PM, Brandon Rampersad wrote: > >> These third world internet providers are screwing up the IP address >> system with their shared IPs which defeats the entire purpose of an >> IP address. I missed this bit... actually, this is less a third world issue as much as it is an organizational issue. NAT for large networks is meant to be driven through a small number of points. This is how it's supposed to work. Why should a company with 50000 users need to purchase 50,000 public IP addresses when they can have 1 and use 50000 internal private network addresses? We'd have run out of IP4 address space years ago if this were not possible. Cheers, Rob. -- E-Mail Disclaimer: Information contained in this message and any attached documents is considered confidential and legally protected. This message is intended solely for the addressee(s). Disclosure, copying, and distribution are prohibited unless authorized. |