-
- 5 Posts
IS there anyone here that has the solution found for this issue? I'm anxiously looking for this solution.
Thanks in advance.
- Leonie
-
- 24,544 Posts
If you're using MODX Revolution, you could do it in a plugin attached to one of the login system events. You could abort the login if the user is already logged in.
-
- 24,544 Posts
In a login preHook, I'm pretty sure MODX has no idea who the user is, so that approach probably won't work.
I think what you want is a plugin attached to OnWebAuthentication. This code in the plugin might do it (untested):
return !($user->hasSessionContext('web'));
-
- 1,154 Posts
I agree completely that Modx will really have trouble to find the user with a prehook because its before login.
So it needs to be a plugin, but a plugin to do what?
In my browsing experience logging into the account from a new device will often kill the existing session and allow the new session to replace it.
The alternative seems to be refusing the login because of the other session, but this seems unwise. If I login to a site from my phone, then my phone is stolen, i would have to wait for the session to end naturally...but ideas can vary
Also BobRay what is your plugin supposed to do?
[ed. note: nuan88 last edited this post 5 years, 2 months ago.]
-
- 24,544 Posts
In theory, it prevents a user from logging in when they are already logged in.
-
- 1,154 Posts
I can't even decide which is better, to not be able to login or to destroy another session upon login. Maybe default is just the way to go, if you are giving your users access then just give them access
that said I just posted about limiting the time of cookies in another thread
-
- 24,544 Posts
I don't know the OP's use case, but imagine that you sell a subscription to your web site, then suspect that your users are passing their credentials around to their friends.
-
- 1,154 Posts
yes certainly, but its only one aspect of the struggle. as I mentioned its nothing to limit cookie sessions in order to control things a bit.
today, people are using multiple devices and IPs. In order to catch cheating, you would basically have to log and track IPs, and even then you will have trouble to definitively know its fraud. Sure it might be a new IP from the other side of the world, but it could be a vpn, and vpns could be used to hide that 'foreign' IP.
number of sessions is relevant but could easily end up as a big hassle for the users, without any real protection for the site. i personally plan to sell services to college students and there is just no way, they need multiple sessions because they've got it open on their tablet and their phone, making them login constantly is a good way to lose site activity.
it would however be good for modx to have an easy way to get what I mentioned before seems to be the standard behavior. The new login goes through, destroying the previous session. Again, that will not really affect cheating, but its a widely-used behavior.