How do I prevent simultaneous logins?

11 views
Skip to first unread message

RNHurt

unread,
Dec 27, 2009, 9:35:41 AM12/27/09
to Authlogic
Our system is based on a pay-per-user model and I have to prevent two
people/computers from using the same login at the same time.
Authlogic doesn't seem to have anything like this built-in but I've
come up with a couple of ideas that may or may not work.

A) Store a timestamp (i.e. last_request_at) in the session and
compare it at the beginning of each request. If it doesn't match then
remove the session.

B) Restrict by IP address, somehow.

The problems I can see with these two methods are (A) what if the
timestamp is slightly wrong? It also puts extra load on the system
(I'm not sure that's enough to worry about). (B) doesn't work if you
have multiple people at one location behind a NAT.

Do you have any other ideas? What would you do?

Thanx!
Richard

Jared Fine

unread,
Dec 27, 2009, 12:12:51 PM12/27/09
to auth...@googlegroups.com
I would add a session_key to the users table. Then when a user logs in it updates the session_key with a random string and saves it as a cookie on the client side.

When you authenticate your user during a request you would then also authenticate the session_key. You may also want to add a flash message along the lines of "You've be logged in at another location.".

I don't think Authlogic does this out of the box but it shouldn't be too difficult to implement.



--

You received this message because you are subscribed to the Google Groups "Authlogic" group.
To post to this group, send email to auth...@googlegroups.com.
To unsubscribe from this group, send email to authlogic+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/authlogic?hl=en.



Reply all
Reply to author
Forward
0 new messages