PHP /SESSION: Login one per user?

You could store the session ID (and last access time) in a database, and reject login attempts for users with different session IDs if the last-access time is too recent(say, within the past 20 minutes). Clear the ID on logout, of course.

Note, though, if a user closes their browser without logging out and then reopens it, they may well be locked out for a while (the 20 minutes above, or whatever interval you decide on), since they won't have the matching session cookie anymore.

I assume you save users in a database, add an active_session field, update it upon login, and check it on requests to ensure that current user session id matches the last one stored in the database.

On Login:

UPDATE `users` SET `active_session`='$session_id';

When user goes to a page that requires login, you search that value:

SELECT * FROM users WHERE `active_session`='$session_id';

this way, if the user signs in other place, the previous session key gets overwriten, and the SELECT above returns an empty resultset.

Just for anyone who might need this in the future.

When a user creates a session or logs in you could take the session id that it generates and store it into a column in your database under that user's account. Then on each page on your application do a check to see if the current Session ID matches the one stored in the database for that user. If not, kill the current session and redirect them to a sign in page.

That way, the session id will be different on each device they are using to login.