Only allow a web user to be logged in on one computer at a time

Hi,

Is it possible to log a user out when they log in on another computer. The reason for this is to stop credentials being shared between multiple users.

Can't see any modx setting options to do this. So I'm guessing need to query the modx_session table and then remove the appropriate row, just trying to suss what within the modx_session data column identifies the user.

Has anyone done anything similar?

I think you might be able do it with a Hook on the Login snippet. I'm pretty sure there's a way to get a list of currently logged-in users, but I can't remember what it is.

Quote from: BobRay at Jun 08, 2013, 08:11 AM

I think you might be able do it with a Hook on the Login snippet. I'm pretty sure there's a way to get a list of currently logged-in users, but I can't remember what it is.

Thanks bob, of course a hook. Was thinking a plugin was the way to go.

I've found the activeUser snippet which comes with login, so just examining the code to see if i can suss out how i can work out what the session id is to then remove it from the session table.

Don't suppose

Would do the trick.
http://api.modx.com/revolution/2.2/db_core_model_modx_moduser.class.html#%5CmodUser::endSession()

Or is that just for the current user.

It would be the user's account retrieved as an object. I suspect any modUser with the same ID number would get kicked off.

I am not home, so I can't look at the code or play with it to see exactly, but if memory serves, any session in the table attached to the user would get dumped - so both would be logged off.

Quote from: bennyb at Jun 10, 2013, 05:35 PM

endSession()

This just seems to kill the current user session and not other users with the same ID.

Strange. I will test this when I get back.

In my opinion it should dump all sessions belonging to a specified user.

Depending on my tests I will put a feature request in to have this debated by the powers that be - if they haven't already.

Shawn! You're supposed to be on vacation! Get off the Internet! Go vacate!

Anyway, different machines won't have the same cookie and thus won't have the same session, so if you're logged in via different machines, each one will be assigned its own session. Goes for different browsers, too.

For example, if I log in to my local installation with this FireFox, my cookie value is 39ff1b49e5131707e6b33e4c76e83df3, but logging in again with Safari it's 7083beb6a42e7e557bb19d60a72823d8. So anything I do in the FireFox session won't have anything to do with the Safari session; in fact it won't even know it exists.

This would probably take a plugin, which checks the active_users table and aborts a login with a message if the user is already logged in.

Hm. Apparently the active_users table doesn't log manager users. And the manager_actions log doesn't log manager logins and logouts, like the Evo one does. That's a pity, I found that useful on occasion.

Shawn, that would be great if thats what the end session done, but as Susan mentions it doesn't

Susan, I actually not worried about manager users, it's only web users. But active_users doesn't seem to ever populate. Regardless if i'm logged in as a manager or a web users.