Prevent multiple logins

drillsgt · May 13, 2017, 6:04am

Hey guys

Does anyone has an idea how to prevent users from login into a Neos website multiple times at the same time?

Best behaviour for my needs would be that you can login at another computer/browser, even if you are still logged in, but your new login does end your other session. Maybe when you login and there is an active session you are asked to confirm that you will end that other session when loggin in.

Peter

bwaidelich · May 16, 2017, 2:38pm

Hi Peter,

interesting challenge.
I’m sure it could be done with some locking mechanism… But I don’t think it’s trivial at all, for example because you never now if a user is still active or just forgot to log out explicitly…

I wonder: What’s the scenario? Why do you expect multiple users to share the same credentials? IMO that should be avoided at all costs anyways

drillsgt · May 16, 2017, 3:18pm

Hi Bastian

We build a system where the customer can use it as a service based on a pricing model that scales via user-accounts. What if a customer just buys the smallest package and let all his users work with the same account? That’s what we want to prevent.

sorenmalling · May 17, 2017, 4:31am

I’ve been thinking about this and will like to share a “cencptual solution”.

When a user is authenticated there is a signal called emitAuthenticatedToken. If you started listening to that one, and collection some meta information about the session like

IP adreess
Last activity

and whatelse you could need for identifiyng a “already active user”. Then you could use the session manager to see if there is a active session (Look at AuthenticationProviderManager class line 194

$this->session->addTag('Neos-Flow-Security-Account-' . md5($account->getAccountIdentifier()));

It’s used for identifiyng a session once authenticated. Destroy that session and let the new one enter

drillsgt · May 17, 2017, 9:02am

Thank you for those suggestions. I have now a rough idea about the needed time effort to implement that so I can estimate the user story . I’m quite sure that story will come back in on of the next sprints.

I will post the chosen solution here once we did it. Untill then: more ideas welcome, even if I think, the suggestion of @sorenmalling sounds already really good.