J
|
Jane 2/2/2009 |
Hi, |
S
|
seanduffy author 2/2/2009 |
Hi Jane, |
J
|
Jane 2/3/2009 |
Still not clear. |
S
|
seanduffy author 2/3/2009 |
I want to prevent one login being used on two different machines at the same time. Still not clear. Do you want to check IP adress of each user and tie login and password to IP address? Or do you want to forbid to use one login on two machines at the same time? |
A
|
alang 2/3/2009 |
Interesting issue - this will require a little custom PHP. The system variable $_SERVER["REMOTE_ADDR"] gives you the IP address of the client machine (if not behind proxy server - check net for more reliable way if this is an issue). The simplest way would be to add a check to the before login. basically maintain IP address against each login. If the IP does not match then return false. If no IP registered then add it to the table. The slightly more tricky issue is when to clear the IP from the table - can be done by hooking into the logout code - no event for this in V4.2 - not sure whether it has been added since. You could add time information so that after a period of time you treat the IP entry as "old" and allow replacement. Could also add code to a common header that you use for your pages that could maintain a more accurate track of when the app is being used. Main issue is if a user is on machine A, and then moves to machine B and expects to be able to login there. |
hichem 2/5/2009 | |
Interesting issue - this will require a little custom PHP. The system variable $_SERVER["REMOTE_ADDR"] gives you the IP address of the client machine (if not behind proxy server - check net for more reliable way if this is an issue). The simplest way would be to add a check to the before login. basically maintain IP address against each login. If the IP does not match then return false. If no IP registered then add it to the table. The slightly more tricky issue is when to clear the IP from the table - can be done by hooking into the logout code - no event for this in V4.2 - not sure whether it has been added since. You could add time information so that after a period of time you treat the IP entry as "old" and allow replacement. Could also add code to a common header that you use for your pages that could maintain a more accurate track of when the app is being used. Main issue is if a user is on machine A, and then moves to machine B and expects to be able to login there.
|
S
|
seanduffy author 2/5/2009 |
Thanks guys. May be an easier way would be to set a flag whenever a user is logged in and set a timeout for it. That way any user can only be logged in once and as part of your login validation you check this logeed in flag. If yes, simply deny the logon. using the IP address can be tricky especially if you don't know who is the user/ip who is actually entitled to log in and also as mentioned above when there is a proxy in between the users and the webserver. Another more discrete way would be to log all the login attempts with IP addresses and user names, that way you have a prroof for such abuse of your licenses <img src='https://asprunner.com/forums/file.php?topicimage=1&fieldname=reply&id=37508&image=1&table=forumreplies' class='bbc_emoticon' alt=':)' /> You can generate a report on your login audit table after that. |
A
|
alang 2/5/2009 |
Thanks for the link - looks like a really good approach. I guess if you logged the IP address as well in the database against the user you could use a check on that to allow a user to have more than one session from the same machine which may be a little less restrictive. |