[thelist] Prevent multiple logins

Bill Moseley moseley at hank.org
Fri Jun 1 09:45:11 CDT 2007

On Fri, Jun 01, 2007 at 10:12:16AM -0400, Matt Warden wrote:
> One user for the entire application?! Below it sounds like you are
> saying only one user using a given username may be logged in at once.

Right, to keep people from sharing usernames.

> >     1) log in and write the session id to a store keyed on user id.
> >     2) every request read that value back in and make sure the
> >        stored session id matches your current session id.
> >     3) If it doesn't match then force a logout, with a reason why.
> Is this a security issue or are you just trying to avoid simultaneous
> update issues?

Neither. IIRC, pricing is seat-based -- so a client can buy, 10 or 20
seats and they can assign logins from the pool.  So the goal is to
make it more difficult for 15 people to share 10 logins.  At the same
time, mind you.

> You also need to make sure you do the check prior to any processing of
> the request. This may or may not be straightforward depending on your
> architecture/framework.

You mean check before, say, a posted form is processed?  Yes, I have
hooks early in the request cycle.


Bill Moseley
moseley at hank.org

More information about the thelist mailing list