Prevent multiple logins

Hey guys

Does anyone has an idea how to prevent users from login into a Neos website multiple times at the same time?

Best behaviour for my needs would be that you can login at another computer/browser, even if you are still logged in, but your new login does end your other session. Maybe when you login and there is an active session you are asked to confirm that you will end that other session when loggin in.


Hi Peter,

interesting challenge.
I’m sure it could be done with some locking mechanism… But I don’t think it’s trivial at all, for example because you never now if a user is still active or just forgot to log out explicitly…

I wonder: What’s the scenario? Why do you expect multiple users to share the same credentials? IMO that should be avoided at all costs anyways

Hi Bastian

We build a system where the customer can use it as a service based on a pricing model that scales via user-accounts. What if a customer just buys the smallest package and let all his users work with the same account? That’s what we want to prevent.

I’ve been thinking about this and will like to share a “cencptual solution”.

When a user is authenticated there is a signal called emitAuthenticatedToken. If you started listening to that one, and collection some meta information about the session like

  • IP adreess
  • Last activity

and whatelse you could need for identifiyng a “already active user”. Then you could use the session manager to see if there is a active session (Look at AuthenticationProviderManager class line 194

$this->session->addTag('Neos-Flow-Security-Account-' . md5($account->getAccountIdentifier()));

It’s used for identifiyng a session once authenticated. Destroy that session and let the new one enter

Thank you for those suggestions. I have now a rough idea about the needed time effort to implement that so I can estimate the user story . I’m quite sure that story will come back in on of the next sprints.

I will post the chosen solution here once we did it. Untill then: more ideas welcome, even if I think, the suggestion of @sorenmalling sounds already really good.