Hey guys.
I’m using the advanced template and the Yii2 RBAC system (though I’ve extended it). I would like to know if there is any decently acceptable way of preventing multiple computers from logging into a single account.
CHances are these computers will be behind routers and share the same IPs. What would be a good strategy for this?
Thanks in advance.
You can generate additional autentication code during login process that will be stored in user’s identity and saved in db as well. Every time user invokes action his code is compared to this saved in db and if doesn’t match user is kicked. This way only the latest login is valid.
I used the same approach in my project and it is working like a charm. Here is more detailed and technical explanation:
In your user table you can create column session_key or similar.
When user logs in using username and password, you change the value of the session_key column to 12345A and save that value in a session.
Every time when user make some action, you go to DB get the key and compare it with one in a session. If there are different (they will be different if another user logged in, and during a login proces key in the DB will change from 12345A to for example 12345B), logout a user and redirect him to login page, and if the values are the same, let him make a desired action.
Becuase every request will make calls to the DB, it is good to write low level SQL queries which will select only one column (session_key) from user table.
Thanks for the suggestions guys. That looks like it would work great. I’m not super fond of having to hit the database on every page (though to be faire the user record is always generated) so perhaps I can just store it there.
Quick question. How do you handle cases of sessions timing out and other users loging in again? That’s still a little fuzzy for me. Your use case looks like you disconnect the user already logged in. I think the opposite behavior would be best to avoid users logging each other out (though to be honest I’m satisfied with this behavior to the extent that they shouldn’t be sharing accounts, but I’m afraid they won’t understand why they are being logged out and think it’s a bug)
Cheers.
As an addition (thinking out loud) this would also prevent users from using multiple browsers. Not sure this is much of an issue but putting it here to keep it in mind.
The advanced template’s session table worked for me. I modified it to include the user id column. A login from another browser or computer kills the previously active session. Though this is debatable, I feel that the latest login should not be denied. Take for example I leave my office and forgot to sign out and the portal is accessible elsewhere, I should be able to login without going back to the office to sign out.
In my case, every user was able to login only and only from one device. If user logs in from phone, his session on computer was automatically killed. This way we stopped compaines buying 10 licences to have 50 users on our system and it was efective 
Exactly what we’re going for. I think that if a user is redirected to a login page because he has an incorrect session token then I’ll display a message. That way they know why they’re presented with a login page and that should be enough to avoid “bug” complaints.
Yes, apart from the message stating that new session exist, we also collected some data as IP and device type etc… and we showed all that to user, and it was effective.
Hi guys,
I am going to be implementing this.
Just one question… do you need to store an additional random value in the DB to verify against vs the session cookie or is storing the session ID in the DB and comparing that be enough? All sessions have a unique ID (not just unique to the user), right?