Restricting Sessions

[jonsgreen]

I am researching implementation options for an authentication business
requirement. My client wants to restrict access such that a user can
only be logged in on one browser at a time. The client is charging for
access to the content of the site and does not want access to be
shared and suddenly have many people sharing accounts for free.

This seems like it would be a common enough situation. I am wondering
if anyone has used Authlogic or any other strategies to achieve this
or a similar goal. Any ideas or helpful links on this matter would be
greatly appreciated!

[Jared Fine]

Check out my suggestion here.

http://groups.google.com/group/authlogic/browse_thread/thread/3b8600377471fc8e?hl=en#

(Sent from my iPhone)

> --
>
> You received this message because you are subscribed to the Google
> Groups "Authlogic" group.
> To post to this group, send email to auth...@googlegroups.com.
> To unsubscribe from this group, send email to authlogic+...@googlegroups.com
> .
> For more options, visit this group at http://groups.google.com/group/authlogic?hl=en
> .
>
>

[jonsgreen]

Thanks for the thread.

I had similar ideas and concerns as RNHunt.

I also had considered your suggestion but was concerned about what
happens when someone deletes or loses their cookie or perhaps even
just throws away their old computer. It seems like they would be
permanently locked out.

I suppose there could be some sort of reset option that sends an email
in the case that they get rejected.

Any further thoughts?

Jonathan.

On Jan 1, 3:47 pm, Jared Fine <ja...@jfine.org> wrote:
> Check out my suggestion here.
>

> http://groups.google.com/group/authlogic/browse_thread/thread/3b86003...
>
> (Sent from my iPhone)

[Jared Fine]

My suggestion simply prevents two active sessions for one user. I.e. if someone logs in elsewhere as that user then any other login would be invalidated. Though that could result in login tug of war.

I suppose to get more of what your looking for you could prevent a login if a key was present and simply clear the key on logout. To prevent an account from being locked out forever (if they forget to logout somewhere or delete their cookie) you could allow login's if a key was present but only after X time after last_request_at.

Cheers.

[Richard Hurt]

On 1/2/10 11:02 AM| Jan 2, 2010, Jared Fine wrote:
> My suggestion simply prevents two active sessions for one user. I.e.
> if someone logs in elsewhere as that user then any other login would
> be invalidated. Though that could result in login tug of war.
>
> I suppose to get more of what your looking for you could prevent a
> login if a key was present and simply clear the key on logout. To
> prevent an account from being locked out forever (if they forget to
> logout somewhere or delete their cookie) you could allow login's if a
> key was present but only after X time after last_request_at.

I wrote up a small blog post[1] describing what I did. Let me know if
you find errors/problems in it.

Later...
Richard

[1]
http://kangaroobox.blogspot.com/2010/01/authlogic-restricting-simultaneous.html

[Jared Fine]

Nice write up. To address your first issue, I'd just toss a redirect_to root_path (or better yet an upsell page) after your call to current_user_session.destroy. :-)