Linking a user to a computer is not a good idea. Why would you first create the independance and flexibility of a web application (assuming it is a web application, because it is PHP, or do you actually have command line users?), and then restricting it to a single device, which may break, get stolen... maybe the company doesn't have fixed workspots per user, but it's using a smaller number of computers for a larger number of part-time employees, so each user may use a different computer each day.
If you really would want such a restriction, you better just limit the number of sessions per user. That is: log the session ID's and the usernames of those sessions in a table. On each request, update the table to store the request date time so you can check for expired sessions. Using MySQL, you can make a table of storage type MEMORY
, which is fast and very useful for session information. The data will be gone when you reboot the database server, but that's usually not an issue for this kind of information.
Now, there are to possibilities to continue:
If a user logs in again on another PC or browser, it will recieve a new session id. In that case, during the login process, you may look in the sessions table to see if the user has another session id open. If so, block the logging in.
If the session is timed out, for instance, when it is more than 15 minutes old, you may allow the login anyway and delete the old session.
Disadvantage is that if a browser or PC crashes, the user has to wait the time-out period before they can continue working on another spot. This is probably not acceptable in any working environment.
A better solution may be: a user can only have one 'active' session. If a user logs in from another workspot, they will automatically get a new session. If that happens, you can just accept the new session and remove the old session id. If they would continue working with the old session, you can see that that session is no longer in the sessions table, requiring them to login again.
With that solution, a user would be able to quickly toggle between workspaces, without having to wait, but if two users would use the same username simultaneuously, they would have to re-login on practically each request.
But I would really think about it twice: why on earth would you want that restriction? If a company would be willing to use the software with more users than allowed, they would also be willing to just alter you PHP code to remove this check, which would be trivial.
Also, if you making using your software too annoying, they may decide not to use it at all and search an alternative. I think it would be best to trust your customers.