1

How can I prevent a logged-In member from logging into their account (in a new tab or different device) without logging out of their existing session ?

I am working on a client job-board website where logged-in employers can submit a single Job Vacancy via the post_job.php page. The problem is they can Login again from a new tab or device without logging out and post more than their permitted single job posting. What would be the easiest way of preventing employers from doing this ?

I am a comparative newbie and everything I have read so far assumes I am not. So any answers in simple jargon-free terms will be greatly appreciated.

inkey69
  • 33
  • 1
  • 1
  • 5
  • It sounds like you want to prevent multiple job posts, not multiple logins. Before writing a new post to the database, check to see if that user already has one present, and abort if so. – Alex Howansky Apr 04 '17 at 19:14
  • You generally don't want to do that because you can easily lock someone out. Maybe it's better to prompt them, "Are you sure you want to login? This will destroy your previous session." – Matt Apr 04 '17 at 19:16
  • Yes it would make far more sense to prevent multiple job posts but I thought that would be too difficult for me to accomplish. – inkey69 Apr 04 '17 at 19:38
  • Any help with preventing a user from creating more job posts than they have paid for would be awesome! – inkey69 Apr 04 '17 at 19:39
  • When a user opens and submits the "new post" page: check if the user has an active post, if yes then show ask if they want to deactivate their old listing and create a new one – JimL Apr 04 '17 at 22:03
  • I assume you mean I could configure my php to check if user already has a job listed, but what if user needs to purchase multiple listings because they wish to post say 5 jobs ?. Is this possible somehow ? – inkey69 Apr 04 '17 at 22:17

4 Answers4

2

Take a look at this it protect you from Cross-Site Request Forgery and you can check if user had logged in. Try: save csrf token to db, then check if users token same that in db... If not: unset cookie and session for this user and return him to Sign In page; If yes: do your stuff

Community
  • 1
  • 1
  • Thanks, I will take a look and try implementing. I basically just need to prevent users from posting jobs they haven't paid for onto the site jobboard because right now they can login and access the job posting page from a new tab whilst logged in at the first tab, if this makes sense. Maybe a better way to prevent each user posting unauthorised jobs but I don't know of one :-) – inkey69 Apr 04 '17 at 21:50
0

You could save the name of the user in his session on his first login. Then, in your login routine, you could check if you have a session with that username. If yes, you know that the user tries to login twice.

fredlahde
  • 453
  • 1
  • 6
  • 7
  • He is saying even in other devices. You cannot access session in other devices. – Zenel Rrushi Apr 04 '17 at 19:17
  • No, but if I am logged into my account on my own pc and then login to the same account from another device, without first logging out from my first login, there is no problem and a second login is allowed and I can login to the same account from two different devices at the same time, which I am hoping to prevent from happening... – inkey69 Apr 04 '17 at 19:47
  • I think you´re meaning cookies, instead of sessions. Cookies are saved client-side, thus you're right, that you can't access them across multiple devices. Sessions, on the other hand, are saved server-side, so you can access all sessions from all devices. – fredlahde Apr 04 '17 at 19:51
  • Thanks for clarifying. essentially I really need a way to to prevent employers from logging in then posting jobs they haven't paid for. Any help you can give me to prevent this will be awesome! thank you so much! – inkey69 Apr 04 '17 at 20:59
0

To do this you need a field in users table example is_login as tiny int (1 or 0). When you the user logs in first time you set the is_login 1. And on every attempt to login when you check username(email) you also check for is_login. If it is 1 you don't login user but output an error message. When te user logs out you set is_login 0.

Zenel Rrushi
  • 2,280
  • 1
  • 17
  • 31
  • Sounds ideal. Can you give me an example of the table row with correct syntax I will need to insert? eg `is_login` TINYINT (1,0), and an example of how I query this from my login.php (and other files) please? Your kind help with this will be truly awesome and invaluable to me, thank you! – inkey69 Apr 04 '17 at 21:04
  • to do that it would need to write all the code for login and logout and this is not how stack works. try adding some of your code and i can help – Zenel Rrushi Apr 04 '17 at 21:06
  • I will copy n paste some relevant code for you in a few moments, thanks. But doesn't your idea prevent the user from ever being able to login again in future if they forget to log out and they log in again in future on a new device? say they lose or break that device... – inkey69 Apr 04 '17 at 21:18
  • for that you can use something like password reset. – Zenel Rrushi Apr 04 '17 at 21:19
  • I may even be going at this from the wrong angle entirely. Essentially I need a way to prevent employers from logging in then posting jobs they haven't paid for by logging into their account again in a new tab without logging out from the first session. I cannot think of any other way to stop employers posting jobs they haven't paid for. So how How might I implement password reset to work with this in my php ? - Thanks! – inkey69 Apr 04 '17 at 21:33
  • Here is my login.php script... – inkey69 Apr 04 '17 at 21:38
0

Depending on your Cookie and Session variables, you can compare the two to keep multiple open logins.

if($_SESSION['<username>']==$_COOKIE['<username>'] && $_COOKIE['<id>']!= $_SESSION['<id>']) {
   //deny access or log out prior session and delete prior requests
}
SergGr
  • 23,265
  • 2
  • 28
  • 51
Jim Garbe
  • 1
  • 2
  • Multiple open logins is what I am trying to prevent so that any single user can only log into their account once and have that single session open only, without being able to log into their account simultaneously from another tab or device, just like when you are logged into your online personal banking account, then try logging into your account again from another tab or device and you will be prohibited from doing so – inkey69 Apr 04 '17 at 19:43
  • Whoops! I meant to end that sentence with ".. to keep multiple logins from happening." – Jim Garbe Apr 07 '17 at 03:31