nam797 Posted June 19, 2012 Share Posted June 19, 2012 Hello, I am in the process of rewriting my SaaS Application in Yii and your tutorial on custom authentication using Yii framework really helped me understand what had to be done for autentication. I do have a question on how to stop a user from logging in at the same time with 2 seperate computers? I also am looking forward to your Yii book. Thanks for all the help, Nathan Link to comment Share on other sites More sharing options...
Antonio Conte Posted June 20, 2012 Share Posted June 20, 2012 You could possibly save some unique information like agent string, ip-adress etc. in a session. If those do not match, you unset all sessions for that computer. The more information, the better the protection. One question: how important is this? How secure is secure enough? That's pretty important to know to determine the approach. Link to comment Share on other sites More sharing options...
nam797 Posted June 20, 2012 Author Share Posted June 20, 2012 Thanks for you comments. its important because i charge per user per month. If i don't have that in place companies would purchase less users knowing that they can have multiple people login under one account. Link to comment Share on other sites More sharing options...
Antonio Conte Posted June 20, 2012 Share Posted June 20, 2012 I'm doing something like this myself, but it's more to guard against session hijacking. This is what I do: 1. ) Concatenate the user agent with their email adress and md5 it. This is their secret key. Store as unique info as possible. I save this to a key in the session. 2. ) I compare this key for each request. I also just check if a session key is true. Here is the code I'm using. I haven't checked if it actually works as it is a work in progress, but It'll give you something to build on. The code used is pretty much based on a tutorial to guard against session hijacking, but is baked into a class. /** * session_validate() * Will check if a user has a encrypted key stored in the session array. * If it returns true, user is the same as before * If the method returns false, the session_id is regenerated * * @param {String} $email The users email adress * @return {boolean} True if valid session, else false */ public function session_validate( ) { // Encrypt information about this session $user_agent = $this->session_hash_string($_SERVER['HTTP_USER_AGENT'], $this->user_email); // Check for instance of session if ( session_exists() == false ) { // The session does not exist, create it $this->session_reset($user_agent); } // Match the hashed key in session against the new hashed string if ( $this->session_match($user_agent) ) { return true; } // The hashed string is different, reset session $this->session_reset($user_agent); return false; } /** * session_exists() * Will check if the needed session keys exists. * * @return {boolean} True if keys exists, else false */ private function session_exists() { return isset($_SESSION['USER_AGENT_KEY']) && isset($_SESSION['INIT']); } /** * session_match() * Compares the session secret with the current generated secret. * * @param {String} $user_agent The encrypted key */ private function session_match( $user_agent ) { // Validate the agent and initiated return $_SESSION['USER_AGENT_KEY'] == $user_agent && $_SESSION['INIT'] == true; } /** * session_encrypt() * Generates a unique encrypted string * * @param {String} $user_agent The http_user_agent constant * @param {String} $unique_string Something unique for the user (email, etc) */ private function session_hash_string( $user_agent, $unique_string ) { return md5($user_agent.$unique_string); } /** * session_reset() * Will regenerate the session_id (the local file) and build a new * secret for the user. * * @param {String} $user_agent */ private function session_reset( $user_agent ) { // Create new id session_regenerate_id(TRUE); $_SESSION = array(); $_SESSION['INIT'] = true; // Set hashed http user agent $_SESSION['USER_AGENT_KEY'] = $user_agent; } /** * Destroys the session */ private function session_destroy() { // Destroy session session_destroy(); } Please note $this->user_email inside the public function session_validate. I use this inside a user class, and as the user must be logged in, this variable is always available. I guess you could just change it to something other unique. If you want more security, look at the method session_hash_string(). Edit that and include more randomness and higher level of encryption if you need it. I would guess this should already work pretty good for your purposes, but you'll maybe have to do some alterations. 1 Link to comment Share on other sites More sharing options...
Edward Posted June 21, 2012 Share Posted June 21, 2012 Finally i understand your code Antonio , HTTP_USER_AGENT can be used as a good unique identifier, but as Larry was saying user IP is NOT as it can change or there can be more than one person with the same IP on the same network. PS Did you solve the Wordpress plugin/PHPBB3 problem? Link to comment Share on other sites More sharing options...
Antonio Conte Posted June 21, 2012 Share Posted June 21, 2012 Yeah, I got it working nicely. Link to comment Share on other sites More sharing options...
nam797 Posted July 28, 2012 Author Share Posted July 28, 2012 Thanks Antonio This will help! Link to comment Share on other sites More sharing options...
Christian Norena Posted March 16, 2021 Share Posted March 16, 2021 (edited) Greetings @Antonio Conte@Edward, My doubts are: 1) How can it work, if we know that each browser has its session different to each them (i.e.: Mozilla Firefox opens one session, Google Chrome opens another different session, etc.)? 2) What cases (about preventing multiple login with the same user) does it really work for? Thanks!!! Edited March 16, 2021 by Christian Norena Link to comment Share on other sites More sharing options...
Recommended Posts