Allow one session only at a time

Question

I would like to make my website to allow only one session at a time. For example, let say user has login to my website on firefox, if the user login again to another browser

Answer 1

Keep a central database table or text file of who is logged in at the moment. If a user is already logged in in another session, invalidate that session by setting the "logged in" flag to false.

Answer 2

Store session id in the database. retrieve last login session id from db, set session id using session_id(oldid) and change session variables related to authentication like $_SESSION['LOGIN'] and destroy the session and create new session with new session id. follow example for logic https://www.php.net/manual/en/function.session-create-id.php. this will make the last login allowed. validate on each page session variables related authentication. this makes it session invalid because of this session_id reset by a new login.

Answer 3

I'll suggest you to do something like this:

Suppose when user "A" loges in to the "Com_1", for the first time. Save a unique code in the database against that session, and same with the user session.

At the mean time if he (user "A") loges in again on "com_2", then check his status in the database and update the unique code in the database.

again back if same user (user "A") refreshes the page on "com_1", we all you need to do is check the unique code from the session and match it to the database, It is for sure it will not match, then log it out and destroy the session.

For keeping the user loggedin, even if browser is closed, you can store the cookie on the browser, and re-generate the session accoordingly.

Hope this helps. Thank you.

Answer 4

You can use the following algorithm

1. create an integer field in the databse userLoggedInCount
2. On each login increment that flag and store the result in the session.
3. On each request check the value in the database and the one in the session, and if the one in the session is less than the one in the DB, invalidate() the session and decrement the value in the database
4. whenever a session is destroyed decrement the value as well

Credits to Bozho because he posted this, answering to a question here

Answer 5

Save users' IP=>SESSION_ID pairs in a database. When user try to load your page you must compare the actual IP=>SESSION_ID pair then allow/deny if the pair is ok/different.

Answer 6

I think you'd have to do something like that :

• add a "last_session_id" column to your user table
• when a user logs in, update its last_session_id field with its current session id
• on each page, if the user has an authenticated session, check if the session id is equal to the one recorded in your database. If not, destroy this session.