How to limit one session at a time for a single account?

43 Posts

Yulianita Reply #31, 5 years, 2 months ago

Quote from: BobRay at Jan 31, 2019, 06:20 AM

Hi Yulianita. Very nice solution.

For completeness, could you provide the code from resource 21?

What happens if the user forgets to log out and just closes the browser? I don't think MODX would automatically call the login snippet with service='logout'. I could be wrong.

If that proves to be a problem, you could possibly check the last login time and give them a pass if it's been x hours since they last logged in.

Yes that is important, in the resource 21 I have this:

[[!disconnectSession]]
[[+userblocked]] You are already signed on using another browser or device . </br>
<a href="[[~21]]&flag=true&userblock=[[+userblocked]]">Logout from all devices</a>

And this is disconnectSession snippet

<?php
if (isset($_GET['userblocked'])){ 
    $user = $_GET['userblocked'];
    $output = $modx->setPlaceholder('userblocked', $user);
}
else  // if user clicked on the link 
    {
    $user = $_GET['userblock'];
    $modx->user = $modx->getObject('modUser', array(
    'username' => $user,
    ));
    $modx->log(modX::LOG_LEVEL_ERROR, 'Form Data = ' . $user);
    $profile = $modx->user->getOne('Profile');
    $extended = $profile->get('extended');
    $extended['logged'] = 0;  
    $profile->set('extended', $extended);
    $profile->save();
    
    $url = $modx->makeURL('2', 'web', '', 'full'); //redirect to login page
    $modx->sendRedirect($url);
}

return $output;

UPDATE: Oh! yes you completely right, the first session will be still open. Suddenly there is some way to flush a certain user's session automatically?? [ed. note: yuliyepes last edited this post 5 years, 2 months ago.]

@yulianita

24,544 Posts

BobRay Reply #32, 5 years, 2 months ago

Thanks!

I'm not sure if people whose sessions don't close are really a problem. When they return, they may just get sent to the MODX Manager dashboard without having to log in. If your plugin interferes with that, you might be able to test for $modx->user->hasSessionContext('whatever_context') before rejecting them.

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting

1,154 Posts

nuan88 Reply #33, 5 years, 2 months ago

Let me see if I have got this:

If they use the same browser/device, then its still the same device/session and its not a problem if the session isn't destroyed. If they use another browser/device...then it won't have the cookie...and Modx won't let them into that previous session.

Right?

@yuliyepes you could use a prehook to destroy any previous session for the user...I assume prehook will be after username/password are both confirmed

But if you are destroying the session that seems to be effectively the same as refusing the second session.

Right now you are expecting the current session to be maintained, and you are trying to stop the second session from being created.

If you destroy the current session and then allow the second session, that's in some sense the same, the user can't have two.

In one case, if I give my pass to my friend, they can't login while my session exists. In the other, they can login, but when they do it they kick me out of my existing session.

The second way is probably more irritating for the cheating user ha

[ed. note: nuan88 last edited this post 5 years, 2 months ago.]

24,544 Posts

BobRay Reply #34, 5 years, 2 months ago

FYI, this will log the user out when they click on your logout link. I think it will then present the login form, but I'm not sure.

$url = $modx->makeUrl(2, 'web', 'service=logout', "full");

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting