perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: [Newbie Q] Cleanest way to implement one logon per user?
Date Thu, 01 Aug 2002 20:07:17 GMT
Oh yes, changing IPs. I hear that WebTV terminals may have different IP 
addresses per each HTTP request. I suppose the specific behaviour you want 
on the event 'user A at station A is authenticated. user A at station B 
attempts to authenticate'. I handle that by expiring the original session 
and keeping the new one. You could take Robert's advice and force the user 
A at station A to logout first but that's a management headache. I use my 
SQL database to enforce timeouts. If you examine this PostgreSQL SQL code 
you'll notice that while the session records are stored in UserSession 
that checks for *valid* sessions are done agains the ValidSession view. 
That view ensures that stale sessions are not considered. The full 
database including schema may be downloaded from my home page at That's a 
reference to *one* possible implementation anyway.

CREATE TABLE UserSession (
        SessionID INTEGER
                PRIMARY KEY,
        SessionDigest TEXT
                CHECK (length(SessionDigest) IN (40, 30))
                NOT NULL,
        UserId INTEGER
                NOT NULL
                REFERENCES Users (ObjectId)
                        ON DELETE CASCADE
                        ON UPDATE CASCADE,
        Created TIMESTAMP
                NOT NULL
                DEFAULT current_timestamp,
        Modified TIMESTAMP
                NOT NULL
                DEFAULT current_timestamp

-- Uninitialized and stale sessions don't appear
        SELECT  s.*,
                u.Username AS activeuser
        FROM    UserSession AS s,
                ValidUsers AS u
        WHERE   s.UserId = u.ObjectId
        AND     s.Modified >= current_timestamp - '15 minutes'::interval
        AND     s.SessionDigest != ''::text;

Robert Landrum <>
08/01/2002 02:28 PM

        To:     "''" <>
        Subject:        Re: [Newbie Q] Cleanest way to implement one logon per user?

On Thu, Aug 01, 2002 at 03:08:40PM -0400, Baljit Sethi wrote:
> Hello.
> I am hoping someone can point me in the right direction. 
> What I want to do is limit client logons to one logon per username ie 
> a client has a session open, he/she cannot logon to the website from 
> terminal.

The problem isn't determining when they've logged in, but determining when 

they've logged out.

While it may be possible to write a record to the db that contains 
password, and IP address, it does not gaurentee that the user's ip address 

will not change mid session. (cable modem disconnect and reconnects with 
new ip,
transparent to the user.)

The short answer is, you can't.  The long answer is that you can, but it 
way more work than it's worth.

The only way I've seen is to set a cookie (encrypted) on the client's 
and flag the user as logged in.  If the user tries to log in again (from 
anywhere), it rejects it.  Only if the original client connects and clicks
logout (and the cookie still exists) does it actually remove the flag (and
the cookie).

The drawback here is that if any user ever deletes their cookies before
logging out, they're screwed, and will call asking you to fix it.

Good luck,


View raw message