User Account limited to one IP logged in at a time

#1 · 30-05-2013 3:17pm #1

Yup the title is a bit dodgy, but essentially what I'm trying to do is limit a users account to one IP logged in at a time.

For example, I'm logged into my Boards.ie account at the moment in my house, therefore I can't run around to my mates house and log into my account from there as well, is this possible?

I had thought about linking an IP address to every user account, but with proxies and the likes that wouldn't work.

CreepingDeath · 30-05-2013 3:26pm

Gavin shels wrote: »

Yup the title is a bit dodgy, but essentially what I'm trying to do is limit a users account to one IP logged in at a time.

For example, I'm logged into my Boards.ie account at the moment in my house, therefore I can't run around to my mates house and log into my account from there as well, is this possible?

I had thought about linking an IP address to every user account, but with proxies and the likes that wouldn't work.

Limiting a user to one session is fairly straightforward but quite restrictive. You record the IP address when they login, and for each subsequent request you check whether the request is still from the same IP address. ( that stops session hijacking/copying session cookies to other browsers )
Typically a servlet filter can perform this.

But if the user fails to explicitly logout of your web application, then that http session remains alive until your web servers http session timeout is triggered ( typically something like 30 minutes ).

So valid users are locked out for 30 mins.
Might be better to allow multiple sessions from the same IP address, or maybe 3 sessions. A strict 1 session policy is too restrictive in real life.

Gavin "shels" · 30-05-2013 3:42pm

CreepingDeath wrote: »

Limiting a user to one session is fairly straightforward but quite restrictive. You record the IP address when they login, and for each subsequent request you check whether the request is still from the same IP address. ( that stops session hijacking/copying session cookies to other browsers )
Typically a servlet filter can perform this.

But if the user fails to explicitly logout of your web application, then that http session remains alive until your web servers http session timeout is triggered ( typically something like 30 minutes ).

So valid users are locked out for 30 mins.
Might be better to allow multiple sessions from the same IP address, or maybe 3 sessions. A strict 1 session policy is too restrictive in real life.

Cool, cheers. Basically a user would only be using the same computer to log in and out, it's to combat multi-users using the same account I'm trying to stop.

CreepingDeath · 30-05-2013 5:19pm

Well it kind of depends on how much piracy / abuse you are expecting?

It's usually a selling point that someone can use their home pc, work pc or mobile phone, iPad/tablet to access a service, especially if they paid for it.

And if some of your users use VPNs, 3G data or mobile phones, their IP addresses could change each time they turn them on/off.

So you'd want to consider a shorter http session timeout.
Or else they might login, but not logout... be locked out until your http session times out, and when they try accessing the service again you get a false positive report that 2 IP addresses tried logging in under the same name "simultaneously".

Gavin "shels" · 30-05-2013 5:39pm

CreepingDeath wrote: »

Well it kind of depends on how much piracy / abuse you are expecting?

It's usually a selling point that someone can use their home pc, work pc or mobile phone, iPad/tablet to access a service, especially if they paid for it.

And if some of your users use VPNs, 3G data or mobile phones, their IP addresses could change each time they turn them on/off.

So you'd want to consider a shorter http session timeout.
Or else they might login, but not logout... be locked out until your http session times out, and when they try accessing the service again you get a false positive report that 2 IP addresses tried logging in under the same name "simultaneously".

We'd expect a large level of abuse, basically the website will be a paid membership. We're trying to combat say 5 people pitching in together to buy one account and all 5 use it.

The type of website we're doing will be gambling related, therefore most people won't be able to use it in work, and generally the complexity of it would mean it's unlikely to be used on a mobile phone or tablet.

If they're using VPN, wouldn't the IP change when they turn it off? Therefore they'd have to leave the website?

Cheers for all the comments, just a quick one, do you have any links or articles on how to go about this?

GreeBo · 31-05-2013 1:23am

Another approach is to just not allow someone to login twice without logging out in between.
Or, alternatively allowing the second login and killing the original session.
You dont need to worry about IPs and proxies etc then, just dont allow consecutive calls to "createSession" without a "logout" or "expireSession" inbetween.

ChRoMe · 31-05-2013 3:50pm

GreeBo wrote: »

Another approach is to just not allow someone to login twice without logging out in between.
Or, alternatively allowing the second login and killing the original session.
You dont need to worry about IPs and proxies etc then, just dont allow consecutive calls to "createSession" without a "logout" or "expireSession" inbetween.

I think this is the best approach

Gavin "shels" · 01-06-2013 12:11am

GreeBo wrote: »

Another approach is to just not allow someone to login twice without logging out in between.
Or, alternatively allowing the second login and killing the original session.
You dont need to worry about IPs and proxies etc then, just dont allow consecutive calls to "createSession" without a "logout" or "expireSession" inbetween.

That seems like the best idea and simplest, cheers.

User Account limited to one IP logged in at a time

Comments