[Catalyst] Preventing simultaneous logins

Octavian Rasnita orasnita at gmail.com
Thu Jul 24 08:01:44 BST 2008 

From: "J. Shirley" <jshirley at gmail.com>
> It's fairly simple to track user login now.  You can have an automatic
> ping from the browser to the server that updates the session time.
> Just put it in your template wrappers so you have some simple request
> (even something like an action that renders an image, and a javascript
> timer that reloads that image every X number of seconds).

The javascript code could be avoided, so it is not a problem if the browser is not set to support javascript.
If the current user doesn't access a new page in 10 (or 15, 20...) minutes, then his session expires and he could log in again on another computer.

If a company has a username for accessing a newspaper, and if an employee of that company accesses the site, he should be able to read the newspaper even if another employee tries to log in.

But if the first user doesn't access a new page every 10 minutes, his session should expire and allow the other users to log in, even if he stays logged and doesn't close his browser.

> That way you can set your lockout time to a ridiculously low level so
> the user doesn't have to wait for the session to clear.

If the lockout period is too low, the session might be closed much earlier than it should so it should be set depending on the situation, because the browser might not use Javascript, and the user might not access a new page often enough.

> I think the points about the problem are perfectly valid though, it's
> a hard problem to solve right, because "right" is very use case
> specific and the protocol itself is the problem.

Yes of course. But in any case, I think that a new login should not disable a previous login, because any new user will log off a previously logged user. In that case the logged off user will try to log in again and he will logg of the other user and so on, and this will not be very nice...

A logged user must stay logged while he actively uses the page.
If he doesn't *actively* use the page, his session must be disabled, even if he leaves the browser opened. That's why I think that no javascript should be used to ping the server, but consider it *active* only if he accesses new pages at least from 10 to 10 minutes, or another period, depending on the specific situation.

Octavian

More information about the Catalyst mailing list