[thelist] Prevent multiple logins

Bill Moseley moseley at hank.org
Fri Jun 1 08:57:10 CDT 2007

I have a requirement that only one user may be logged in at a time in
a web application.  I'm asking for a sanity check before implementing
the design below.

(Personally, I'm not a fan of systems like this -- for one thing it
only prevents people from sharing an account at the same time and it
prevents someone from using two browsers at the same time.  But,
ignoring the pitfalls right now....)

I think it's risky to prevent someone from logging in since there's no
way to know if there really is someone already logged in.  So, my
initial thought is to log out any existing users with the same user id
when someone else logs in.

In other words,

    1) log in and write the session id to a store keyed on user id.
    2) every request read that value back in and make sure the
       stored session id matches your current session id.
    3) If it doesn't match then force a logout, with a reason why.

So first user logs in as "foo" with user id 345 and writes their session
"abc" to the store.

Every request first user reads the store for id 345 and validates that
the read value matches their session of "abc".

Second user comes along and logs in as "foo" but has a session id
of "xyz" and writes that session id to the store under user id 345.

First user makes another request and reads the store but this time
gets "xyz" back instead of "abc" and forces a logout.

Any better ways to achieve this?  See any gotchas?


Bill Moseley
moseley at hank.org

More information about the thelist mailing list