[nycphp-talk] Denying multiple logins to restricted pages

Mark Armendariz nyphp at
Wed Feb 26 13:42:05 EST 2003

Well, the 2 methods I've used to solve the problem involve either cron jobs
or running a mini script in my config file which is called by every script
(depending on availability of cron job control).

For starters, Using session handling hasn't always been reliable in my
experience. It's easy to figure you can catch session closes (close browser
or open different page) that you should just log them off, but unfortunately
you can't always catch a session close and run the proper script.  Browser
crashes and different browser set ups don't always allow for it.

Basically, I create a last_hit column (date/time) and logged_in (char(1)) in
my login database.  The script checks all logged_in = 1 and if their time is
greater than set time (usually 10 minutes) it set's logged_in to 0.  And in
order to access any page on the member the site, logged_in must be one and
their last_hit time is updated.  Also, in the login check script, make sure
the user's "logged_in" is not already set to 1.  If it is, they have to wait
0 minutes or someone else is using their login.

Depending on your hardware setup, this could actually be faster with a text

You could also do this with ip's and such, but with dynamic IP's being
changes without notice from ISP's this isn't always reliable.

Regardless of methods, Good Luck!!


-----Original Message-----
From: Ophir Prusak [mailto:ophir at] 
Sent: Wednesday, February 26, 2003 1:24 PM
To: NYPHP Talk
Subject: [nycphp-talk] Denying multiple logins to restricted pages

Hi All,

I'm creating a site that requires people to register and login for access to
certain pages. I want to stop users from giving out their username/password
to other people by denying access to more than one person using the same
username at the same time.

I have a few ideas in my head, but would really like to hear from others
that may have already tackled this problem and what solution they came up

Also, I'm still debating what to do when I find out that indeed two (or
more) people are trying to use the same username.
Do I deny the latest attempt ?
Do I accept the latest attempt and then reject requests from all other
people using the same username ? etc.


--- Unsubscribe at ---

More information about the talk mailing list