Quantify Cyber Risk Now

header ads

Prevent Multiple Concurrent Logins in Codeigniter | Lucideus Research

It's a common request or recommendation that a web application does not allow a user to have more than one session active at a time. In other words, after a user logs into an application, he should not be permitted to open a different type of browser (or use another computer) to log in again until his first session has ended. If the user tries to log in again, the application should expire previous sessions.

There are a number of scenarios where it might help. Listed below are the reasons I came up with for implementing this feature.

An application has a licensing scheme that allows only a limited number of concurrent users or requires users to pay for access or premium content. A technical control to prevent simultaneous sessions for a single user ID would limit the financial harm caused by users sharing login credentials.

It is out of the ordinary for a user to be logged in from more than one location (or more than one type of browser) for a given point in time. Anything out of the ordinary should be assumed to be a potential security risk.

An attacker somehow steals a user's credentials (perhaps by sniffing unencrypted HTTP traffic) while the user was authenticating to the application. The attacker immediately tries to log in with the stolen credentials.

An attacker's shoulder surfs to obtain a valid username (but not the password). He then immediately proceeds to run a password guessing or dictionary attack hoping to determine the password. If his attack happens to be successful during the time the legitimate user is logged in, it would prevent the attacker from gaining access.

It could help defend against a malicious user who wishes to overload the server memory by creating an excessive number of authenticated sessions. Authenticated sessions typically use much more memory on the server than unauthenticated sessions. With valid credentials and no limit to simultaneous sessions, a user could potentially create a denial-of-service condition.

Codeigniter by default does not restrict users to have multiple sessions. But we can implement this security feature by customizing CodeIgniter sessions. Codeigniter provides 4 ways to store session information i.e files, database, Redis, Memcached.

To implement above security feature in CodeIgniter I will be using database session storage because it provides more flexibility to play with session data. Please skip “Implementation of Database session in CodeIgniter” of you already have database session.

Implementation of Database session in CodeIgniter

Create a table called ci_session in Database using MySQL query.

session_id varchar(40) DEFAULT '0' NOT NULL,
ip_address varchar(45) DEFAULT '0' NOT NULL,
user_agent varchar(120) NOT NULL,
last_activity int(10) unsigned DEFAULT 0 NOT NULL,
user_data text NOT NULL,
PRIMARY KEY (session_id),
KEY `last_activity_idx` (`last_activity`)

This table will store your session data. Now we need to set config variable. Go to “config/config.php” and update below variable:

$config['sess_use_database'] = TRUE;
$config['sess_table_name'] = 'ci_sessions';

If “sess_use_database” variable if “FALSE” make it TRUE. And if you change the table name you must tell CodeIgniter to use that table by setting the variable “sess_table_name” or just uncomment this line.

Now the approach to prevent multiple concurrent session, we will map session ID with the user ID. In order to do that, we need to create a session ID column in the user table. This can be done using MySQL query.

ALTER table <user_table> ADD COLUMN session_id varchar(50);

Now upon successful login, while we create a session object for a user and redirect into dashboard/ Internal pages, we also map new session ID with user ID and also destroy previously mapped session ID.

Please refer below code snippet of login submit controller.

Here, after successful form-validation, we are creating a session for the user and after creating a session, we will fetch session ID.

Now we call a model function to map this session ID with user ID and destroy the previous session. Please refer below model code snippet.
Now, whenever a user logins our system will map its session id to the user and destroy all another session map to that user.

There are many use-cases where we want to prevent multiple concurrent logins in our application. By default, CodeIgniter doesn’t have such feature, but by using CodeIgniter session and some custom code we will able to achieve this feature.

Post a comment


  1. Thanks for the article. Very helpful..!!