I'm not sure if people whose sessions don't close are really a problem. When they return, they may just get sent to the MODX Manager dashboard without having to log in. If your plugin interferes with that, you might be able to test for $modx->user->hasSessionContext('whatever_context') before rejecting them.
Let me see if I have got this:
If they use the same browser/device, then its still the same device/session and its not a problem if the session isn't destroyed. If they use another browser/device...then it won't have the cookie...and Modx won't let them into that previous session.
@yuliyepes you could use a prehook to destroy any previous session for the user...I assume prehook will be after username/password are both confirmed
But if you are destroying the session that seems to be effectively the same as refusing the second session.
Right now you are expecting the current session to be maintained, and you are trying to stop the second session from being created.
If you destroy the current session and then allow the second session, that's in some sense the same, the user can't have two.
In one case, if I give my pass to my friend, they can't login while my session exists. In the other, they can login, but when they do it they kick me out of my existing session.
The second way is probably more irritating for the cheating user ha
[ed. note: nuan88 last edited this post 6 months, 1 week ago.]
FYI, this will log the user out when they click on your logout link. I think it will then present the login form, but I'm not sure.
$url = $modx->makeUrl(2, 'web', 'service=logout', "full");