nam797 0 Posted June 19, 2012 Report Share Posted June 19, 2012 Hello, I am in the process of rewriting my SaaS Application in Yii and your tutorial on custom authentication using Yii framework really helped me understand what had to be done for autentication. I do have a question on how to stop a user from logging in at the same time with 2 seperate computers? I also am looking forward to your Yii book. Thanks for all the help, Nathan Quote Link to post Share on other sites
Antonio Conte 426 Posted June 20, 2012 Report Share Posted June 20, 2012 You could possibly save some unique information like agent string, ip-adress etc. in a session. If those do not match, you unset all sessions for that computer. The more information, the better the protection. One question: how important is this? How secure is secure enough? That's pretty important to know to determine the approach. Quote Link to post Share on other sites
nam797 0 Posted June 20, 2012 Author Report Share Posted June 20, 2012 Thanks for you comments. its important because i charge per user per month. If i don't have that in place companies would purchase less users knowing that they can have multiple people login under one account. Quote Link to post Share on other sites
Antonio Conte 426 Posted June 20, 2012 Report Share Posted June 20, 2012 I'm doing something like this myself, but it's more to guard against session hijacking. This is what I do: 1. ) Concatenate the user agent with their email adress and md5 it. This is their secret key. Store as unique info as possible. I save this to a key in the session. 2. ) I compare this key for each request. I also just check if a session key is true. Here is the code I'm using. I haven't checked if it actually works as it is a work in progress, but It'll give you something to build on. The code used is pretty much based on a tutorial to guard against session hijacking, but is baked into a class. /** * session_validate() * Will check if a user has a encrypted key stored in the session array. * If it returns true, user is the same as before * If the method returns false, the session_id is regenerated * * @param {String} $email The users email adress * @return {boolean} True if valid session, else false */ public function session_validate( ) { // Encrypt information about this session $user_agent = $this->session_hash_string($_SERVER['HTTP_USER_AGENT'], $this->user_email); // Check for instance of session if ( session_exists() == false ) { // The session does not exist, create it $this->session_reset($user_agent); } // Match the hashed key in session against the new hashed string if ( $this->session_match($user_agent) ) { return true; } // The hashed string is different, reset session $this->session_reset($user_agent); return false; } /** * session_exists() * Will check if the needed session keys exists. * * @return {boolean} True if keys exists, else false */ private function session_exists() { return isset($_SESSION['USER_AGENT_KEY']) && isset($_SESSION['INIT']); } /** * session_match() * Compares the session secret with the current generated secret. * * @param {String} $user_agent The encrypted key */ private function session_match( $user_agent ) { // Validate the agent and initiated return $_SESSION['USER_AGENT_KEY'] == $user_agent && $_SESSION['INIT'] == true; } /** * session_encrypt() * Generates a unique encrypted string * * @param {String} $user_agent The http_user_agent constant * @param {String} $unique_string Something unique for the user (email, etc) */ private function session_hash_string( $user_agent, $unique_string ) { return md5($user_agent.$unique_string); } /** * session_reset() * Will regenerate the session_id (the local file) and build a new * secret for the user. * * @param {String} $user_agent */ private function session_reset( $user_agent ) { // Create new id session_regenerate_id(TRUE); $_SESSION = array(); $_SESSION['INIT'] = true; // Set hashed http user agent $_SESSION['USER_AGENT_KEY'] = $user_agent; } /** * Destroys the session */ private function session_destroy() { // Destroy session session_destroy(); } Please note $this->user_email inside the public function session_validate. I use this inside a user class, and as the user must be logged in, this variable is always available. I guess you could just change it to something other unique. If you want more security, look at the method session_hash_string(). Edit that and include more randomness and higher level of encryption if you need it. I would guess this should already work pretty good for your purposes, but you'll maybe have to do some alterations. 1 Quote Link to post Share on other sites
Edward 108 Posted June 21, 2012 Report Share Posted June 21, 2012 Finally i understand your code Antonio , HTTP_USER_AGENT can be used as a good unique identifier, but as Larry was saying user IP is NOT as it can change or there can be more than one person with the same IP on the same network. PS Did you solve the Wordpress plugin/PHPBB3 problem? Quote Link to post Share on other sites
Antonio Conte 426 Posted June 21, 2012 Report Share Posted June 21, 2012 Yeah, I got it working nicely. Quote Link to post Share on other sites
nam797 0 Posted July 28, 2012 Author Report Share Posted July 28, 2012 Thanks Antonio This will help! Quote Link to post Share on other sites
Christian Norena 0 Posted March 16 Report Share Posted March 16 (edited) Greetings @Antonio Conte@Edward, My doubts are: 1) How can it work, if we know that each browser has its session different to each them (i.e.: Mozilla Firefox opens one session, Google Chrome opens another different session, etc.)? 2) What cases (about preventing multiple login with the same user) does it really work for? Thanks!!! Edited March 16 by Christian Norena Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.