Is there any tool or something like this to check if the same user's login is occurring in two different places and overturn the oldest login?
Example: I am logged on to the system in PHP that uses session for authenticity checking, so another person who has my password logs into the system. Hence the system will automatically knock me out of the system and leave only the new login using the system. To try to ensure that a SINGLE login is not logged into the system on two different machines.
No, at least natively does not exist, what you can do is to save the active session in the database, you can even use session_set_save_handler to do so or you can create your own session management system.
A "path of stones" would be:
When the user connects:
if($senhaCorreta && $tudoOk){
$idSessao = session_id();
$AtualizaSessao = $mysqli->prepare('UPDATE tabela
SET idSessao = ?
WHERE idUsuario = ?');
$AtualizaSessao->bind_param('si', $idSessao, $idUsuario);
$AtualizaSessao->execute();
//...
$_SESSION['idUsuario'] = $idUsuario;
}
This will update the idSessao with the id of the current session, the value of the cookie.
Now you can simply compare:
if (isset($_SESSION['idUsuario'])) {
$BuscaUltimaSessao = $mysqli->prepare('SELECT ultimaSessao
FROM tabela
WHERE idUsuario = ?');
$BuscaUltimaSessao->bind_param('i', $_SESSION['idUsuario']);
$BuscaUltimaSessao->execute();
$BuscaUltimaSessao->bind_result($idSessao);
$BuscaUltimaSessao->fetch();
if (hash_equals(session_id(), $idSessao) === false) {
session_destroy();
echo 'Esta sessão expirou';
} else {
echo 'OK';
}
} else {
echo 'Não há sessão';
}
The logic is very simple, only one session will be in the database, in the idSessao column, so when the same user connects in another place this column will be updated to the corresponding cookie value. This can be tested even in different browsers, so once you connect to one and connect to the other the first will be disconnected after refreshing the page.
/! \ This has flaws!
Obviously you should check for things beyond the cookie. Like the IP, the browser (...). After all it is possible to duplicate the value of the cookie, this is on the client side, so two different devices can share the same cookie and thus connect to the same account, including this is an attack method . However it is possible that two devices are using the same browser (or fraudulent this information) and are using the same IP (such as several devices using a single proxy / VPN). Be aware that there will still be two devices / browsers / people in the same account , I honestly do not see any solution for this.
In PHP you can use Sessions, that is every time the user logs in you will register the session.
Sessions Documentation - W3CSchool
<?php
session_start();
?>
<!DOCTYPE html>
<html>
<body>
<?php
print_r($_SESSION);
?>
</body>
</html>
Now just create an algorithm to get the list of sessions on the server and just apply the concept you quoted yourself.