I have been trying to solve this problem for a while now.
I have built an application which is running on our client’s server. The client has to buy license for each user to use the system. So each user has a link on his/her computer to access the application with only that computer. There for each computer has to be registered for each user and stored in a database.
So I have to restrict the user from accessing the application using another computer/device. My question is how do I capture unique information from each computer using php (or any other language), so i can check this information each time the user is trying to login. I have learnt that u can only get browser information using php. So am looking for some ideas that can direct me to the right direction.
What I have tried is store unique cookies in each PC, and register them in database. But the problem with that is we always having a problem that some users clear their cookies an thus can’t gain access to the app.
Linking a user to a computer is not a good idea. Why would you first create the independance and flexibility of a web application (assuming it is a web application, because it is PHP, or do you actually have command line users?), and then restricting it to a single device, which may break, get stolen… maybe the company doesn’t have fixed workspots per user, but it’s using a smaller number of computers for a larger number of part-time employees, so each user may use a different computer each day.
If you really would want such a restriction, you better just limit the number of sessions per user. That is: log the session ID’s and the usernames of those sessions in a table. On each request, update the table to store the request date time so you can check for expired sessions. Using MySQL, you can make a table of storage type
MEMORY, which is fast and very useful for session information. The data will be gone when you reboot the database server, but that’s usually not an issue for this kind of information.Now, there are to possibilities to continue:
If a user logs in again on another PC or browser, it will recieve a new session id. In that case, during the login process, you may look in the sessions table to see if the user has another session id open. If so, block the logging in.
If the session is timed out, for instance, when it is more than 15 minutes old, you may allow the login anyway and delete the old session.
Disadvantage is that if a browser or PC crashes, the user has to wait the time-out period before they can continue working on another spot. This is probably not acceptable in any working environment.
A better solution may be: a user can only have one ‘active’ session. If a user logs in from another workspot, they will automatically get a new session. If that happens, you can just accept the new session and remove the old session id. If they would continue working with the old session, you can see that that session is no longer in the sessions table, requiring them to login again.
With that solution, a user would be able to quickly toggle between workspaces, without having to wait, but if two users would use the same username simultaneuously, they would have to re-login on practically each request.
But I would really think about it twice: why on earth would you want that restriction? If a company would be willing to use the software with more users than allowed, they would also be willing to just alter you PHP code to remove this check, which would be trivial.
Also, if you making using your software too annoying, they may decide not to use it at all and search an alternative. I think it would be best to trust your customers.