Quote:Original post by rajend3
What I am trying to do is stop multiple users from logging in with the same email and password pair. Will storing session_id in this way stop it?

The only problem I see with checking against the session id is if the same user attempts to log in two or more times in quick succession after an unexpected session dump. For example, say someone enters the site, you mark him/her as logged in, and then that user accidentally closes their browser. The user starts back up, goes to log in, but gets an error saying that they're already logged in.

Instead of checking the session id, I think checking the IP address would be more meaningful. Since the IP address will remain the same (usually) across multiple sessions, you can check the user's IP with the one stored in the members table (if any), see if it's the same or different, and then proceed with authentication from there.

Also, an extra step to add to your login process if not already there:

1.5 - Check for SQL injections.

I would probably just use sessions and log previous users out if a new session is authenticated. This way there is only ever one active session, but if a legitimate user accidentally is logged twice (say on two workstations) or didn't logout correctly that your application handles it gracefully.

Meanwhile, two users attempting to share a common account will be constantly logging each other out. Depending on the nature of your application, this might cause enough frustration that they will get separate accounts.

Quote:Original post by rajend3
If I use the user's IP address and they are behind a NAT will it be possible for another user behind the same NAT to login with the same email & address pair?

Yes, users that share a NAT share an IP address as far as the other end point is concerned. Their port numbers will differ however.

Quote:
Also, as far as SQL injection goes are the mysql_real_escape_string() and stripslashes() enough to stop this kind of attack?

A parameterised query is another method.