I want to restrict access to my login system, to only 1 for each login, I want my system to block access if the login is already being used on another device.
What would be the best practice to do this?
I am using Codeigniter 3, along with the Ion-Auth 2 plugins. plugins url link .
So the problem you want to solve is that the same user can not be logged on to two "machines" at the same time.
Using regular sessions, which remain on the server - either in memory or in the database - you only have one certainty: your user has logged in to the system. You can not find out if it's still logged in or not, unless it tells you explicitly - that is: you have requested to move.
To find out if the guy is still logged in, just log in to check if his email / login is in the database where you save the session (a SELECT email FROM session WHERE email = $email already resolves). The problem is that you may end up locking your user off your system until the session expires.
However, there is a way for you to know if he is still using the system, if the tab is still open in his browser: you will use a websocket on the client side and the server side. I will not dwell on the client implementation, but I found a tutorial that looks good about this part.
Think of WebSocket as a chat room with the server, your client can send messages to the server and the server can send messages to the client and / or clients.
The problem is that this tutorial does not have the share of the WebSocket server implementation - because what you already have is a web server, HTTP . One library I found for PHP is Ratchet . You will literally need to run another server - on another port - to receive messages from the client. No Ratchet would be something like:
class WSAuth implements MessageComponentInterface {
public function onOpen(ConnectionInterface $conn) {
// Store the new connection to send messages to later
$this->clients->attach($conn);
echo "New connection! ({$conn->resourceId})\n";
}
public function onMessage(ConnectionInterface $from, $msg) {
// recebe a mensagem do cliente com login e senha
// faz toda a verificação para autenticá-lo
// manda o SessionID de volta pro cliente, e guarda o cookie.
}
public function onClose(ConnectionInterface $conn) {
// desloga o usuário caso o cliente tenha se conectado antes
}
public function onError(ConnectionInterface $conn, \Exception $e) {
// provavelmente você deve deslogar o cara se der erro também
}
}
Another solution would be to send an Ajax every minute to the server and if the client does not send it for 3 minutes, you can do it.
By consulting the documentation of ion_auth you can see that you have a logged_in() method of the library itself. Returns TRUE if logged in.