[nycphp-talk] Denying multiple logins to restricted pages

Jim Hendricks jim at
Thu Feb 27 08:09:02 EST 2003

I had to deal with this whole situation a couple years ago with an ASP app,
but the principle should work with PHP.

At login the users loginID, SessionKey, and login time were added to a login
table.  The Session timeout was set to 3 minutes.  Each page in the system
contained a hidden frame with a page in it which was set to refresh at 2
minutes.  The refresh would update the login table for this user and session
to the current time and redeliver the same page, but this activity acts as a
heartbeat keeping the session alive. Since it's in a hidden frame, it does
not affect the active page.  This also has the affect of allowing a user to
stay on a page as long as necessary and not get arbitrarily timed out ( they
had one form in the system which took over a half hour to fill out ).

When a login attempt is made and an entry is found for that loginID the
current time is compared to the last activity time.  If the difference is
more than 4 minutes, the connection is assumed dead, the log entry is
archived, and a new entry created for this login.  If the login entry is
still considered active( user shut down the browser without using our logout
feature & right away attempts to log back in ) the user is provided a
message indicating that there is a current session for that userID also with
a message explaining that if that session was an improperly logged out
session from the same user than the login would be unlocked within 5

Hope I recalled enough of the details to be useful, it has been a while
since I've needed this type of functionality.


Jim Hendricks, President, Biz Computing, Inc
Phone:  (201) 599-9380     Email: jim at
Snail:  Jim Hendricks,  Biz Computing, Inc.,  255 McKinley Ave, New Milford,
NJ 07646

----- Original Message -----
From: "Mark Armendariz" <nyphp at>
To: "NYPHP Talk" <talk at>
Sent: Thursday, February 27, 2003 1:37 AM
Subject: RE: [nycphp-talk] Denying multiple logins to restricted pages

> Well that's why there's a script that resets the expired sessions after a
> given amount of time.  Unfortunately the user has to wait the time or
> contact the admin to reset their profile.  When I did this for a client's
> intranet (it was cf based, but same concept) I had a "reset user" section
> (with a dropdown of users) in the super user account and manager accounts.
> Fortunately out of the 75 users who used the system regularly, I only got
> the reset a session request about twice a week or less.  On another
> IP addresses had to be registered, but all those users only logged in from
> their desks, and it was directly tied to the network admin's dhcp list
> was a fun one).
> It's very hard to control crashed sessions, unfortunately, which I feel is
> serious downfall of browsers as they should allow for application plugs,
> imo.  I'm dying to hear of better solutions though :)
> Mark
> -----Original Message-----
> From: CHUN-YIU LAM [mailto:chun_lam at]
> Sent: Wednesday, February 26, 2003 11:53 PM
> To: NYPHP Talk
> Subject: Re: [nycphp-talk] Denying multiple logins to restricted pages
> what happens when something wrong with a session, how do he/she login in
> again?
> ----Original Message Follows----
> From: "Ophir Prusak" <ophir at>
> Reply-To: talk at
> To: NYPHP Talk <talk at>
> Subject: [nycphp-talk] Denying multiple logins to restricted pages
> Date: Wed, 26 Feb 2003 13:24:25 -0500
> Received: from ([]) by
> with Microsoft SMTPSVC(5.0.2195.5600); Wed, 26
> 2003 10:24:55 -0800
> Received: from ( [])by
> (8.12.6/8.12.6) with ESMTP id h1QIOPEF082196for
> <chun_lam at>; Wed, 26 Feb 2003 13:24:52 -0500
> null at
> X-Message-Info: dHZMQeBBv44lPE7o4B5bAg==
> Message-Id: <200302261824.h1QIOPEF082196 at>
> X-Paralist-Archived:
> X-List-Software: Paralist 0.6
> List-ID: <>
> List-Owner: <mailto:listmaster at>
> List-Archive: <>
> List-Subscribe: <>
> List-Unsubscribe: <>
> Organization: New York PHP
> X-Mailer: Paramail 0.5
> Return-Path: null at
> X-OriginalArrivalTime: 26 Feb 2003 18:24:55.0907 (UTC)
> Hi All,
> I'm creating a site that requires people to register and login for access
> certain pages. I want to stop users from giving out their
> to other people by denying access to more than one person using the same
> username at the same time.
> I have a few ideas in my head, but would really like to hear from others
> that may have already tackled this problem and what solution they came up
> with.
> Also, I'm still debating what to do when I find out that indeed two (or
> more) people are trying to use the same username.
> Do I deny the latest attempt ?
> Do I accept the latest attempt and then reject requests from all other
> people using the same username ? etc.
> Ophir
> _________________________________________________________________
> The new MSN 8: smart spam protection and 2 months FREE*
> --- Unsubscribe at ---

More information about the talk mailing list