Preventing users sharing a user login

Hi,
please clarify what does "sharing their login with other people" mean.

Hi Jane,

Say someone has a login name called "davesmith" I only want it to be possible for one person to use that login at anyone time. This is because I am charging my clients for access into the system on a per user basis so I want to force them to buy further logins off me if other people in the company want access, not just have everyone in the company use the one login as I don't make any money this way!
Sean

Still not clear.

Do you want to check IP adress of each user and tie login and password to IP address? Or do you want to forbid to use one login on two machines at the same time?

I want to prevent one login being used on two different machines at the same time.

Still not clear.

Interesting issue - this will require a little custom PHP. The system variable $_SERVER["REMOTE_ADDR"] gives you the IP address of the client machine (if not behind proxy server - check net for more reliable way if this is an issue). The simplest way would be to add a check to the before login. basically maintain IP address against each login. If the IP does not match then return false. If no IP registered then add it to the table. The slightly more tricky issue is when to clear the IP from the table - can be done by hooking into the logout code - no event for this in V4.2 - not sure whether it has been added since. You could add time information so that after a period of time you treat the IP entry as "old" and allow replacement. Could also add code to a common header that you use for your pages that could maintain a more accurate track of when the app is being used. Main issue is if a user is on machine A, and then moves to machine B and expects to be able to login there.

Interesting issue - this will require a little custom PHP. The system variable $_SERVER["REMOTE_ADDR"] gives you the IP address of the client machine (if not behind proxy server - check net for more reliable way if this is an issue). The simplest way would be to add a check to the before login. basically maintain IP address against each login. If the IP does not match then return false. If no IP registered then add it to the table. The slightly more tricky issue is when to clear the IP from the table - can be done by hooking into the logout code - no event for this in V4.2 - not sure whether it has been added since. You could add time information so that after a period of time you treat the IP entry as "old" and allow replacement. Could also add code to a common header that you use for your pages that could maintain a more accurate track of when the app is being used. Main issue is if a user is on machine A, and then moves to machine B and expects to be able to login there.

May be an easier way would be to set a flag whenever a user is logged in and set a timeout for it. That way any user can only be logged in once and as part of your login validation you check this logeed in flag. If yes, simply deny the logon. using the IP address can be tricky especially if you don't know who is the user/ip who is actually entitled to log in and also as mentioned above when there is a proxy in between the users and the webserver.

Another more discrete way would be to log all the login attempts with IP addresses and user names, that way you have a prroof for such abuse of your licenses <img src='https://asprunner.com/forums/file.php?topicimage=1&fieldname=reply&id=37497&image=1&table=forumreplies' class='bbc_emoticon' alt=':)' /> You can generate a report on your login audit table after that.

Thanks guys.
The problem with IP address is it is not particulary good for a user if they wish to login from different locations.
A better approach I found on another forum:

http://www.webmasterworld.com/php/3055206.htm
This saves the session ID of the user in the database every time they login. Now if someone else logins in with a different session ID it kicks the original person off. I am more than happy with this as people should not be sharing logins they should pay for extra ones!
I hope this is useful to others who might want to consider the same.

Thanks for the link - looks like a really good approach. I guess if you logged the IP address as well in the database against the user you could use a check on that to allow a user to have more than one session from the same machine which may be a little less restrictive.