Hey everyone, I'm making a little game for fun, and it involves having a player sign in. Lets say I have the player account "Thomas" with the password "Khelavaster", and he signs in and is actively using the site right now.

Now lets say some suspicious other person has found his password and signs into it. The weird thing is that I have two sessions, both linked to one account. This seems like not only a security bug, but it introduces some weird bugs into the game, from having two different sessions.

How can I fix this? I was thinking of something like putting the session ID into the account data in the DB, but that wouldn't keep the second person from logging into the same account. I was also thinking of linking the account to the person's IP address, but I heard IP addresses were easy to spoof, and people's IP addresses change often.

Is this a problem worth worrying about? How would I solve it?


- Evan