Preventing Multiple Login with same login credentials

Question

I am developing a web application that needs to prevent multiple login using the same user name and password concurrently.

If it happens on the same machine then we need to do something with the user session, but it should also prevent if they are login on different machines using the same user name and password.

What can be the best approach :-

1) should i store the user session,credentials,and IPAddress of the machine in the DB.

2) should we use the session tracking mechanism in the application itself.If so what is the best approach?

Also , We have to keep following things in mind:

1) If user close the browser without logout.

2) If session times out.

Hope it clears the question.

Answer 1

Simply have a field in your database that has text that says online or offline for each user, according to whether they are logged in or not. So when someone tries to log in with that username, check the database if the field says online for that given user on submit. If the field says online, don't allow log in. Otherwise permit it.

without using a database you can store if a user is online in a text file

$check= "onlineCheck.txt";
$fh = fopen($check, 'a') or die("can't open file");
$nowOnline= "USER678 \n";
fwrite($fh, $nowOnline);

Answer 2

Besdies data base hits (which could fail if your server is broguth down without updating db) : A data base friendly way is not to hit the data base for every re login or you could get denial of service attacks that brig you dowm. Instead implement a session listener in J2EE and check if same user is logged in by looking up the user id in a cache.

If you have more than one app node then need a distributed cache with a time out same as session time out in web.xml.