-1

i have trouble with my login page, if user was login, user can login again with same user id on other browser

Login page

require("config/config.default.php");
require("config/config.function.php");
require("config/functions.crud.php");
(isset($_SESSION['id_siswa'])) ? $id_siswa = $_SESSION['id_siswa'] : $id_siswa = 0;
($id_siswa<>0) ? jump("$homeurl/login.php"):null;
$siswa = mysql_fetch_array(mysql_query("SELECT * FROM siswa WHERE id_siswa='$id_siswa'"));
if(isset($_POST['submit'])) {
    $username = $_POST['username'];
    $password = $_POST['password'];
    $siswaQ = mysql_query("SELECT * FROM siswa WHERE username='$username'");
    if(mysql_num_rows($siswaQ)==0) {
        $info = info('Siswa tidak terdaftar!','NO');
    } else {
        $siswa = mysql_fetch_array($siswaQ);
        if($password<>$siswa['password']) {
            $info = info('Password salah!','NO');
        } else {
            $_SESSION['id_siswa'] = $siswa['id_siswa'];
            mysql_query("INSERT INTO log (id_siswa,type,text,date) VALUES ('$siswa[id_siswa]','login','masuk','$tanggal $waktu')");
            jump($homeurl);
        }
    }
}

database table siswa

CREATE TABLE `siswa` (
  `id_siswa` int(11) NOT NULL,
  `id_kelas` int(11) NOT NULL,
  `nis` varchar(30) NOT NULL,
  `no_peserta` varchar(30) NOT NULL,
  `nama` varchar(50) NOT NULL,
  `paket` varchar(1) NOT NULL,
  `username` varchar(50) NOT NULL,
  `password` text NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

database session

CREATE TABLE `session` (
  `id` int(11) NOT NULL,
  `session_time` varchar(10) NOT NULL,
  `session_hash` text NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

I was tired of experimenting with references on Google. please help,

Jetli
  • 35
  • 5
  • 2
    Hm...why do you consider that to be a problem exactly? It's quite normal behaviour for a web application. People like to be logged in at the same time on their laptop and mobile for example - think of social media sites or shopping or streaming services, for example. It's a multi-device, multi-browser world. What actual practical difficulty does it give your application if the user is logged in twice (or 3 times, or 20 times)? – ADyson Jun 09 '20 at 18:44
  • 2
    i want to disable Multiple Logins with same User Id, i need for exam student online from home – Jetli Jun 09 '20 at 18:47
  • 1
    It's very difficult to do in practice, because it's hard to know when another session has expired. So...what actual problem with the exam are you anticipating if this is allowed? Some sort of cheating involving multiple people answering one user's questions, perhaps? You could help that maybe by only allowing the exam data itself to be loaded once and/or submitted once, or only from one session. It depends on the rules of the exam of course, but exploring that sort of protection will be easier than what you're trying to do now – ADyson Jun 09 '20 at 18:51
  • P.s. I forgot to tell you to read this urgently: https://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php?noredirect=1&lq=1 – ADyson Jun 09 '20 at 20:26
  • Why are you using code that was deprecated before I was born? – Strawberry Jun 09 '20 at 21:07
  • **Warning:** `mysql_*` extension is deprecated as of PHP 5.5.0, and has been removed as of PHP 7.0.0. Instead, either the [mysqli](https://www.php.net/manual/en/book.mysqli.php) or [PDO_MySQL](https://www.php.net/manual/en/book.pdo.php) extension should be used. See also the [MySQL API Overview](https://www.php.net/manual/en/mysqlinfo.api.choosing.php) for further help while choosing a MySQL API. – Dharman Jun 09 '20 at 22:25

1 Answers1

0

I would use your database session to store the time, session hash, user id, and ip address. Every time the page loads, I would:

  1. Gather the current time + 30 minutes (or whataver your timeout amount is), session hash, user id, and ip address
  2. Query the session database to see the count of of sessions where the session_time <= current time + 30 minutes, where the session_hash = this session hash, the userID = this user id, and where the ip address = this ip address. That will tell you if the user loading the page is the one user allowed for that account.
  3. If the count returned from step 2 is 0, that means you need to have the user hit the logout script (to ensure all session values are destroyed) and then be directed to the login script.
  4. Ensure that your logout script deletes any entries from the sessions table for that specific user id.
  5. Now, when somebody is attempting to log in, check that the user ID they're trying to log in as doesn't have any active session entries in the database called "sessions".
Brds
  • 1,035
  • 3
  • 17
  • 37
  • 1
    Surely session hash associated with user ID is enough? Can't see what use the IP address is here - it doesn't identify anything unique - doesn't distinguish between multiple sessions/browsers on one device and doesn't always identify unique devices either, in fact it rarely does because most end-user machines are behind a NAT firewall – ADyson Jun 09 '20 at 18:58
  • Also I think if the user closes their browser window without logging out (e.g. they forget, or the browser crashes) then they won't be able to log in from any device at all for 30 minutes after the last time they loaded a page. that could be a big issue for someone potentially. It could be mitigated possibly by having a "remember me" type cookies with a long/infinite expiry added to the browser - but that might be considered a security risk in itself by some (it maybe depends how serious a business this exam system is). – ADyson Jun 09 '20 at 20:08