On 6/1/07, Bill Moseley <moseley at hank.org> wrote: > I have a requirement that only one user may be logged in at a time in > a web application. I'm asking for a sanity check before implementing > the design below. One user for the entire application?! Below it sounds like you are saying only one user using a given username may be logged in at once. My responses below are based on this assumption. > I think it's risky to prevent someone from logging in since there's no > way to know if there really is someone already logged in. So, my > initial thought is to log out any existing users with the same user id > when someone else logs in. This is probably the best solution. The only other solution is to set the session expiry to 15 min or so and only allow another person to log in when there is no existing session for that username. This is very dangerous, though! > In other words, > > 1) log in and write the session id to a store keyed on user id. > 2) every request read that value back in and make sure the > stored session id matches your current session id. > 3) If it doesn't match then force a logout, with a reason why. Sounds reasonable enough. > Any better ways to achieve this? See any gotchas? Is this a security issue or are you just trying to avoid simultaneous update issues? You also need to make sure you do the check prior to any processing of the request. This may or may not be straightforward depending on your architecture/framework. -- Matt Warden Cleveland, OH, USA http://mattwarden.com This email proudly and graciously contributes to entropy.