[Catalyst] Preventing simultaneous logins

Wade.Stuart at fallon.com Wade.Stuart at fallon.com
Wed Jul 23 21:20:47 BST 2008

"Daniel McBrearty" <danielmcbrearty at gmail.com> wrote on 07/23/2008 02:47:57

> I'm using Cat with a pretty standard configuration of :
> Catalyst::Plugin::Authentication
> Catalyst::Plugin::Session
> Catalyst::Plugin::Session::State::Cookie
> Catalyst::Plugin::Session::Store::FastMmap
> to handle login and session management. My login code looks like this:
>  my $u = $params->{username};
>   if ($c->authenticate( { username => $u,
>                           password => $params->{'password'}
>                         } )){
>     my $user = $c->user;
>     $user->last_login(DateTime->now);
>     $user->update();
>     $c->response->redirect( $forward, 301);
>   } else {
>     # login failed
>     $c->stash->{login_failed} = 1;
>   }
> What I'd like to do is check if this user is already logged in at some
> other computer, and deny access if so. I guess that means :
> 1. checking whether there is an existing session associated this username
> 2. Being sure that the associated session is cleared when the user
> hits 'logout'
> I did a quick search and didn't get anything on the list - any quick
> clues about the easy way to do this, before I start digging into the
> guts of the plugins to see how?
> many thanks

      This is actually a pretty "hard" problem -- there is no right answer.
What if the user clears her browser state while using the site?  Leaves the
computer and browser on at work then tries to log in at home on a different
computer?  I think you can gain most of the lockdown of 1 session per user
if you just track user activity over a X minute period.  for instance every
time a user hits your app add a record that is attached to the user account
in the db (src ip, session number, other relevant info).  Then do (either
inline or if it is too costly,  via cron) a check on those entries that
looks for multiple IP/Sessions or whatever you define as multiple users
(given that http is stateless there really is no _safe_ definition).  If
that process detects usage over your threshold,  disable (temp or
permanent) the account.  The same process can clean up entries that are
outside of the time window that you want to look at.

More information about the Catalyst mailing list