[Catalyst] Preventing simultaneous logins

J. Shirley jshirley at gmail.com
Wed Jul 23 21:38:03 BST 2008 

On Wed, Jul 23, 2008 at 1:20 PM,  <Wade.Stuart at fallon.com> wrote:
> "Daniel McBrearty" <danielmcbrearty at gmail.com> wrote on 07/23/2008 02:47:57
> PM:
>
>> I'm using Cat with a pretty standard configuration of :
>>
>> Catalyst::Plugin::Authentication
>> Catalyst::Plugin::Session
>> Catalyst::Plugin::Session::State::Cookie
>> Catalyst::Plugin::Session::Store::FastMmap
>>
>> to handle login and session management. My login code looks like this:
>>
>>  my $u = $params->{username};
>>
>>   if ($c->authenticate( { username => $u,
>>                           password => $params->{'password'}
>>                         } )){
>>     my $user = $c->user;
>>     $user->last_login(DateTime->now);
>>     $user->update();
>>     $c->response->redirect( $forward, 301);
>>
>>   } else {
>>     # login failed
>>     $c->stash->{login_failed} = 1;
>>   }
>>
>>
>> What I'd like to do is check if this user is already logged in at some
>> other computer, and deny access if so. I guess that means :
>>
>> 1. checking whether there is an existing session associated this username
>> 2. Being sure that the associated session is cleared when the user
>> hits 'logout'
>>
>> I did a quick search and didn't get anything on the list - any quick
>> clues about the easy way to do this, before I start digging into the
>> guts of the plugins to see how?
>>
>> many thanks
>>
> Daniel,
>
>      This is actually a pretty "hard" problem -- there is no right answer.
> What if the user clears her browser state while using the site?  Leaves the
> computer and browser on at work then tries to log in at home on a different
> computer?  I think you can gain most of the lockdown of 1 session per user
> if you just track user activity over a X minute period.  for instance every
> time a user hits your app add a record that is attached to the user account
> in the db (src ip, session number, other relevant info).  Then do (either
> inline or if it is too costly,  via cron) a check on those entries that
> looks for multiple IP/Sessions or whatever you define as multiple users
> (given that http is stateless there really is no _safe_ definition).  If
> that process detects usage over your threshold,  disable (temp or
> permanent) the account.  The same process can clean up entries that are
> outside of the time window that you want to look at.
>
>
>
>

It's fairly simple to track user login now.  You can have an automatic
ping from the browser to the server that updates the session time.
Just put it in your template wrappers so you have some simple request
(even something like an action that renders an image, and a javascript
timer that reloads that image every X number of seconds).

That way you can set your lockout time to a ridiculously low level so
the user doesn't have to wait for the session to clear.

I think the points about the problem are perfectly valid though, it's
a hard problem to solve right, because "right" is very use case
specific and the protocol itself is the problem.

-J

More information about the Catalyst mailing list