We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
  • No, sorry. No luck here.
      Studying MODX in the desert - http://sottwell.com
      Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
      Join the Slack Community - http://modx.org
      • 51488
      • 5 Posts
      IS there anyone here that has the solution found for this issue? I'm anxiously looking for this solution.

      Thanks in advance.

      - Leonie
        • 3749
        • 24,544 Posts
        If you're using MODX Revolution, you could do it in a plugin attached to one of the login system events. You could abort the login if the user is already logged in.

          Did I help you? Buy me a beer
          Get my Book: MODX:The Official Guide
          MODX info for everyone: http://bobsguides.com/modx.html
          My MODX Extras
          Bob's Guides is now hosted at A2 MODX Hosting
          • 47047
          • 43 Posts
          It should be easy but not. I need do not allowed the login if the user already has a session initiated (in another browser o device), because by default modx let me login many sessions.
          So I have this snippet on my preHooks login:

          
              $formFields = $hook->getValues();
              $username = $formFields['username'];  //take username login
              $modx->user = $modx->getObject('modUser', array(  //query this username
              'username' => $username,
          ));
          if ($modx->user->isAuthenticated('web') == true) { // this is empty
                $modx->sendUnauthorizedPage();
          } 
          return true;



          I really appreciate any help

            @yulianita
            • 3749
            • 24,544 Posts
            In a login preHook, I'm pretty sure MODX has no idea who the user is, so that approach probably won't work.

            I think what you want is a plugin attached to OnWebAuthentication. This code in the plugin might do it (untested):

            return !($user->hasSessionContext('web'));
              Did I help you? Buy me a beer
              Get my Book: MODX:The Official Guide
              MODX info for everyone: http://bobsguides.com/modx.html
              My MODX Extras
              Bob's Guides is now hosted at A2 MODX Hosting
              • 46886
              • 1,154 Posts
              I agree completely that Modx will really have trouble to find the user with a prehook because its before login.

              So it needs to be a plugin, but a plugin to do what?

              In my browsing experience logging into the account from a new device will often kill the existing session and allow the new session to replace it.

              The alternative seems to be refusing the login because of the other session, but this seems unwise. If I login to a site from my phone, then my phone is stolen, i would have to wait for the session to end naturally...but ideas can vary

              Also BobRay what is your plugin supposed to do? [ed. note: nuan88 last edited this post 5 years, 2 months ago.]
                • 3749
                • 24,544 Posts
                In theory, it prevents a user from logging in when they are already logged in.
                  Did I help you? Buy me a beer
                  Get my Book: MODX:The Official Guide
                  MODX info for everyone: http://bobsguides.com/modx.html
                  My MODX Extras
                  Bob's Guides is now hosted at A2 MODX Hosting
                  • 46886
                  • 1,154 Posts
                  I can't even decide which is better, to not be able to login or to destroy another session upon login. Maybe default is just the way to go, if you are giving your users access then just give them access

                  that said I just posted about limiting the time of cookies in another thread
                    • 3749
                    • 24,544 Posts
                    I don't know the OP's use case, but imagine that you sell a subscription to your web site, then suspect that your users are passing their credentials around to their friends.
                      Did I help you? Buy me a beer
                      Get my Book: MODX:The Official Guide
                      MODX info for everyone: http://bobsguides.com/modx.html
                      My MODX Extras
                      Bob's Guides is now hosted at A2 MODX Hosting
                      • 46886
                      • 1,154 Posts
                      yes certainly, but its only one aspect of the struggle. as I mentioned its nothing to limit cookie sessions in order to control things a bit.

                      today, people are using multiple devices and IPs. In order to catch cheating, you would basically have to log and track IPs, and even then you will have trouble to definitively know its fraud. Sure it might be a new IP from the other side of the world, but it could be a vpn, and vpns could be used to hide that 'foreign' IP.

                      number of sessions is relevant but could easily end up as a big hassle for the users, without any real protection for the site. i personally plan to sell services to college students and there is just no way, they need multiple sessions because they've got it open on their tablet and their phone, making them login constantly is a good way to lose site activity.

                      it would however be good for modx to have an easy way to get what I mentioned before seems to be the standard behavior. The new login goes through, destroying the previous session. Again, that will not really affect cheating, but its a widely-used behavior.