新聞財經娛樂♬資訊 News Economy

Recenly I have finished example of login-form for my server website from the
tutorial lnk at http://phpsense.com/2006/php-login-script/

Now just want to know how to prevent two users use same unique  login and passwd  on
two different computers in php and javascript  login-form to login  successfuly
on my website ?
I am thinking before a way to do that , for example, when user login successfull the form, the mysql database will  record the user's status such as active  and when the user kill the
login IE/Firefox browser or  window computer reset, there is script can delete the user
status ot be logout. But I don't know how to do it in program


Any idea if you experience this issue before or I neeed to concentrate on session and cookies application for the issue ?

 please advise
DUncan

@DaveBaldwin: Of course!  That's the way HTTP is supposed to work - atomic and stateless, client-server.

The problem here is the concept of a user who is "logged in."  There is no such thing.  There are only requests and responses.  If our author just uses the session handler and never puts his own cookies on the client browser,  the client will automatically be "logged out" after about 24 minutes of inactivity, or when the browser closes, whichever comes first.

But the whole idea of locking a client out because the last request came from a different device, however you might define "device," is a terrible idea and is to be avoided.

I have logged in to Experts Exchange a  number of times from more than one computer.  I also have more than one IP address and there wasn't any problem.

I think we talked about this in another question.  The design you've suggested here is technically incompetent and is almost certain to drive your clients away.  Nobody does this, and you should not even try.  Instead design your application with the idea in mind that the same client can appear from different IP addresses and different devices at any time.  

I have made actual tests to demonstrate that I can have two PayPal sessions on two different machines at the same time, transact money, and both of the sessions work correctly, connecting me to the data bases and sending or receiving funds.  If PayPal works this way, your application should work this way, too.

What does the lockout accomplish?  Well, if a client went from using his iPad to using his iPhone for a payment, and then tried to continue using your site on the iPhone, your site would reject his attempt to login?  To me that is a WTF design that misunderstands the nature of HTTP requests and the client-server protocol.  Not to mention human nature and the rapidly changing nature of the web-sphere.

If you have queries that cannot be intermixed between requests, the usual way to handle these is to create transactions or simply LOCK TABLES for the duration of the query set.  I've used that and it works.  But it is very different from denying a client access to the site for some arbitrary length of time.  That's like multiple inheritance.  Just don't do it.

Because of the way HTTP works, you cannot know when a user has left your websit unless you have a 'Logout' button to press. Even then they might just stop using the website and not press the button.

One way to do what you want is to record the time of the last activity for a user profile in the database and say that no activity for (say) 15 minutes is a logout.

You would need a field in the record for each user called (say) activityTime and it could store the date and time of the last activity. So on every page you have a small script that interrogates the session where the username would be stored in the event of a successful login. It then runs an update

** UNTESTED CODE **

mysql_query("UPDATE userTable SET activityTime=NOW() WHERE username='{$_SESSION['username'}' ");

In the login process you can then check to see if the user had any activity in the last 15 minutes and disallow the login if this is the case

$rs = mysql_query("SELECT * FROM userTable WHERE username='$user' AND activityTime > DATE_SUB( NOW(), INTERVAL 15 MINUTE ) ");

if ( mysql_num_rows($rs) > 0 )
    die("Sorry - already logged in");
else {
      $_SESSION ['username'] = $user;
     ... etc