[thelist] Prevent multiple logins

Matt Warden mwarden at gmail.com
Fri Jun 1 09:12:16 CDT 2007


On 6/1/07, Bill Moseley <moseley at hank.org> wrote:
> I have a requirement that only one user may be logged in at a time in
> a web application.  I'm asking for a sanity check before implementing
> the design below.

One user for the entire application?! Below it sounds like you are
saying only one user using a given username may be logged in at once.
My responses below are based on this assumption.

> I think it's risky to prevent someone from logging in since there's no
> way to know if there really is someone already logged in.  So, my
> initial thought is to log out any existing users with the same user id
> when someone else logs in.

This is probably the best solution. The only other solution is to set
the session expiry to 15 min or so and only allow another person to
log in when there is no existing session for that username. This is
very dangerous, though!

> In other words,
>
>     1) log in and write the session id to a store keyed on user id.
>     2) every request read that value back in and make sure the
>        stored session id matches your current session id.
>     3) If it doesn't match then force a logout, with a reason why.

Sounds reasonable enough.

> Any better ways to achieve this?  See any gotchas?

Is this a security issue or are you just trying to avoid simultaneous
update issues?

You also need to make sure you do the check prior to any processing of
the request. This may or may not be straightforward depending on your
architecture/framework.

-- 
Matt Warden
Cleveland, OH, USA
http://mattwarden.com


This email proudly and graciously contributes to entropy.



More information about the thelist mailing list