1

I am developing an application in which security plays main role. When I am trying to login with username and password, other login on any other system with same username should be deactivated.

How can I do this? When I google this issue I am not getting any related ideas.

Improve this question
4
  • What do you mean by "any other system"? Systems you have control over, or any other system/website etc?
    – James
    Commented Apr 8, 2015 at 12:40
  • Store the session with the user and system related information in a database, then you can check on login if a session already exists for that user and destroy it.
    – jeroen
    Commented Apr 8, 2015 at 12:41
  • @James I logged in from my home and when I login to my system from office my personal system session should be destroyed
    – Anto S
    Commented Apr 8, 2015 at 12:41
  • There isn't a single proper way to achieve that, and the topic is quite broad for stackoverflow, but there are few good ideas on Google though. Maybe you didn't search for the good terms. Try "prevent multiple logins php". Basically, you will have to check if the session for a given logged user is still the same after every action.
    – Clément Malet
    Commented Apr 8, 2015 at 12:42

1 Answer 1

Reset to default
1

I logged in from my home and when I login to my system from office my personal system session should be destroyed

In terms of specifically "personal session being destroyed" would mean remotely clearing your home browser history (to delete sessions/cookies etc).
Which is possibly not necessary (depending on security level you need), or better to just have remote access to your PC.

A solution if you do not actually need to destroy "home" sessions.

A basic method would be something like:

Upon successful login, script sets a local session ID and stores it in the DB.
Each page/section within the secure area checks your local session ID with the one in the DB.
If match, you are shown the page, otherwise redirected to the login page.

Every time you successfully login, it resets the session stores in the DB, so when logging in at work you would not be logged in at home as sessions no longer match.

Your Scenario

You login in at home, a session is created and the session ID is stored in the database and referenced in your local browser (cookie by default).
Each secure area page will check if the users local session ID matches the one in the database.

At home, currently, it does.

You go to work, go to login page (which finds no session/cookie so allows you to try to login).
When you login successfully, the script will set a new session and session ID, update the database with that new session ID.

Now when you browse the secure area at work the scripts check your local session ID and database and they match up, so can see the secure stuffs.

At home, someone tries to browse your logged in area and the local session ID no longer matches the one stored in DB, as it's now the session ID you set from logging in at work.
So they are redirected to login page.

Security Note

This is just a basic example, and while the above will work, it is not a perfectly secure "login system" in itself. Best practice of having a secure login system is already covered in many other questions/answers/tutorials (ie using HTTPS, IP log, browser data check, timestamp + auto logout, etc).

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.