Only one user logged in at a time

Question

I have a requirement, that if user is logged in from one browser, then she couldn't be logged in from any where else.

What I did is when user is logged in I entered her status in log table as logged in and when she logged out I update that status.

Problem comes: what if she didn't logged out and just close browser?

Any help or improvement will be appreciated in advance:-) I am using codeigniter as back end tool.

Implement a "last seen at" field in the database which is updated on every page request. The user is considered logged-out if they have not been seen in X minutes. — Jonathon Reinhart, May 20 '13 at 06:06
@Jonathon Reinhart you mean on every page request I have to check "last seen" field of db?And what will I save in this field?IP address? — user2013626, May 20 '13 at 06:08
Similar question [here](http://stackoverflow.com/questions/3164507/allow-one-session-only-at-a-time). — The Alpha, May 20 '13 at 06:17
Is there any method I can destroy session when user close browser? — user2013626, May 20 '13 at 06:39

score 1 · Answer 1 · answered May 20 '13 at 06:08

1

Doing this on server-side is your best bet. You can keep tract of logged-in users in your application context.

Well, a little hint. Make use of a Servlet Filter, say AuthFilter, and make validation, may be isAlreadyLoggedIn(), over there beside other validations like username/password etc.. Now after having this check in place, you either -- that it depends what you want to do with the user trying to log in, show the message that "user already logged-in",

answered May 20 '13 at 06:08

GautamD31

28,552
10
64
85

problem comes when he just close the browser?How will I came to know he is logged out? – user2013626 May 20 '13 at 06:12
At that time you need to use session-timeout for the user login,and makesure that you can give the little value for the session-timeout – GautamD31 May 20 '13 at 06:14
Session is destroyed by browser?I can not track session time out? – user2013626 May 20 '13 at 06:15
I mean to say that whenever the user logged in start session with giving session timeout while login itself,thus if he closed a browser without logedout then only after the session timeout you can try with another browser – GautamD31 May 20 '13 at 06:17
1

@Gautam3164 user says codeigniter is used, which is a PHP framework. you're suggesting to use a servlet filter, which is a Java EE technology, if I'm not wrong. I'm seeing a mismatch here. – eis May 20 '13 at 06:27
@eis I know that is Ci and I know Ci as well but I suggested to use AuthFilter that not related to Ci but for the user sake I have suggested that there is also a way to solve that...thats it – GautamD31 May 20 '13 at 06:30
Is there any method I can destroy session when user close browser? – user2013626 May 20 '13 at 06:39

score 0 · Answer 2 · answered May 20 '13 at 12:51

As others have said, using a timeout on the server/database side is your best bet.

You asked for a way to detect if the user has closed the browser - there is javascript onunload event which, for the most times, will fire if a user has closed the browser window. It will however not fire for emergency shutdowns or if javascript has been turned off, so it is not very reliable.

There are other reasons as well why implementing a timeout on the server side is the recommended approach. For example, user could've just logged in from a public computer and forgot to log off. In this case, you do want to time out the session at some point, even if the browser window is still open.

Also, having some kind of timeout reduces the changes of session fixation attacks.

Only one user logged in at a time

2 Answers2