Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

User Account limited to one IP logged in at a time

  • 30-05-2013 2:17pm
    #1
    Registered Users, Registered Users 2 Posts: 17,974 ✭✭✭✭


    Yup the title is a bit dodgy, but essentially what I'm trying to do is limit a users account to one IP logged in at a time.

    For example, I'm logged into my Boards.ie account at the moment in my house, therefore I can't run around to my mates house and log into my account from there as well, is this possible?

    I had thought about linking an IP address to every user account, but with proxies and the likes that wouldn't work.


Comments

  • Closed Accounts Posts: 8,015 ✭✭✭CreepingDeath


    Yup the title is a bit dodgy, but essentially what I'm trying to do is limit a users account to one IP logged in at a time.

    For example, I'm logged into my Boards.ie account at the moment in my house, therefore I can't run around to my mates house and log into my account from there as well, is this possible?

    I had thought about linking an IP address to every user account, but with proxies and the likes that wouldn't work.

    Limiting a user to one session is fairly straightforward but quite restrictive. You record the IP address when they login, and for each subsequent request you check whether the request is still from the same IP address. ( that stops session hijacking/copying session cookies to other browsers )
    Typically a servlet filter can perform this.


    But if the user fails to explicitly logout of your web application, then that http session remains alive until your web servers http session timeout is triggered ( typically something like 30 minutes ).

    So valid users are locked out for 30 mins.
    Might be better to allow multiple sessions from the same IP address, or maybe 3 sessions. A strict 1 session policy is too restrictive in real life.


  • Registered Users, Registered Users 2 Posts: 17,974 ✭✭✭✭Gavin "shels"


    Limiting a user to one session is fairly straightforward but quite restrictive. You record the IP address when they login, and for each subsequent request you check whether the request is still from the same IP address. ( that stops session hijacking/copying session cookies to other browsers )
    Typically a servlet filter can perform this.


    But if the user fails to explicitly logout of your web application, then that http session remains alive until your web servers http session timeout is triggered ( typically something like 30 minutes ).

    So valid users are locked out for 30 mins.
    Might be better to allow multiple sessions from the same IP address, or maybe 3 sessions. A strict 1 session policy is too restrictive in real life.

    Cool, cheers. Basically a user would only be using the same computer to log in and out, it's to combat multi-users using the same account I'm trying to stop.


  • Closed Accounts Posts: 8,015 ✭✭✭CreepingDeath


    Well it kind of depends on how much piracy / abuse you are expecting?

    It's usually a selling point that someone can use their home pc, work pc or mobile phone, iPad/tablet to access a service, especially if they paid for it.

    And if some of your users use VPNs, 3G data or mobile phones, their IP addresses could change each time they turn them on/off.

    So you'd want to consider a shorter http session timeout.
    Or else they might login, but not logout... be locked out until your http session times out, and when they try accessing the service again you get a false positive report that 2 IP addresses tried logging in under the same name "simultaneously".


  • Registered Users, Registered Users 2 Posts: 17,974 ✭✭✭✭Gavin "shels"


    Well it kind of depends on how much piracy / abuse you are expecting?

    It's usually a selling point that someone can use their home pc, work pc or mobile phone, iPad/tablet to access a service, especially if they paid for it.

    And if some of your users use VPNs, 3G data or mobile phones, their IP addresses could change each time they turn them on/off.

    So you'd want to consider a shorter http session timeout.
    Or else they might login, but not logout... be locked out until your http session times out, and when they try accessing the service again you get a false positive report that 2 IP addresses tried logging in under the same name "simultaneously".

    We'd expect a large level of abuse, basically the website will be a paid membership. We're trying to combat say 5 people pitching in together to buy one account and all 5 use it.

    The type of website we're doing will be gambling related, therefore most people won't be able to use it in work, and generally the complexity of it would mean it's unlikely to be used on a mobile phone or tablet.

    If they're using VPN, wouldn't the IP change when they turn it off? Therefore they'd have to leave the website?

    Cheers for all the comments, just a quick one, do you have any links or articles on how to go about this?


  • Registered Users, Registered Users 2 Posts: 27,370 ✭✭✭✭GreeBo


    Another approach is to just not allow someone to login twice without logging out in between.
    Or, alternatively allowing the second login and killing the original session.
    You dont need to worry about IPs and proxies etc then, just dont allow consecutive calls to "createSession" without a "logout" or "expireSession" inbetween.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 2,021 ✭✭✭ChRoMe


    GreeBo wrote: »
    Another approach is to just not allow someone to login twice without logging out in between.
    Or, alternatively allowing the second login and killing the original session.
    You dont need to worry about IPs and proxies etc then, just dont allow consecutive calls to "createSession" without a "logout" or "expireSession" inbetween.

    I think this is the best approach


  • Registered Users, Registered Users 2 Posts: 17,974 ✭✭✭✭Gavin "shels"


    GreeBo wrote: »
    Another approach is to just not allow someone to login twice without logging out in between.
    Or, alternatively allowing the second login and killing the original session.
    You dont need to worry about IPs and proxies etc then, just dont allow consecutive calls to "createSession" without a "logout" or "expireSession" inbetween.

    That seems like the best idea and simplest, cheers.


Advertisement