How to limit one session at a time for a single account? - My Forums

How to limit one session at a time for a single account?

solarthrone — Apr 26, 2016, 09:51 AM

Hi everybody,
I have a simple question/request.

Currently MODX allows many login sessions for the same user account.
(logging in from different browsers/devices on the same account doesn't end the previous session)

Is there any way to limit the session to only one active at a time (per user), and how?

I'm using the Login extra for MODX, the logging would only be for (protected) front-end context (default web).
Perhaps some kind of hook for the login, snippet or plugin would do it, but I don't have much experience with it.

I apologize for not having much knowledge on the matter.
Thank you for your time, I'm new to MODX but its a really great tool.

Re: How to limit one session at a time for a single account?

BobRay — Feb 07, 2019, 03:16 AM

FYI, this will log the user out when they click on your logout link. I think it will then present the login form, but I'm not sure.

$url = $modx->makeUrl(2, 'web', 'service=logout', "full");

Re: How to limit one session at a time for a single account?

nuan88 — Feb 06, 2019, 09:16 PM

Let me see if I have got this:

If they use the same browser/device, then its still the same device/session and its not a problem if the session isn't destroyed. If they use another browser/device...then it won't have the cookie...and Modx won't let them into that previous session.

Right?

@yuliyepes you could use a prehook to destroy any previous session for the user...I assume prehook will be after username/password are both confirmed

But if you are destroying the session that seems to be effectively the same as refusing the second session.

Right now you are expecting the current session to be maintained, and you are trying to stop the second session from being created.

If you destroy the current session and then allow the second session, that's in some sense the same, the user can't have two.

In one case, if I give my pass to my friend, they can't login while my session exists. In the other, they can login, but when they do it they kick me out of my existing session.

The second way is probably more irritating for the cheating user ha

Re: How to limit one session at a time for a single account?

BobRay — Feb 05, 2019, 05:24 PM

Thanks!

I'm not sure if people whose sessions don't close are really a problem. When they return, they may just get sent to the MODX Manager dashboard without having to log in. If your plugin interferes with that, you might be able to test for $modx->user->hasSessionContext('whatever_context') before rejecting them.

Re: How to limit one session at a time for a single account?

yuliyepes — Feb 02, 2019, 09:54 PM

Quote from: BobRay at Jan 31, 2019, 06:20 AM

Hi Yulianita. Very nice solution.

For completeness, could you provide the code from resource 21?

What happens if the user forgets to log out and just closes the browser? I don't think MODX would automatically call the login snippet with service='logout'. I could be wrong.

If that proves to be a problem, you could possibly check the last login time and give them a pass if it's been x hours since they last logged in.

Yes that is important, in the resource 21 I have this:

[[!disconnectSession]]
[[+userblocked]] You are already signed on using another browser or device . 

Logout from all devices

And this is disconnectSession snippet

setPlaceholder('userblocked', $user);
}
else  // if user clicked on the link 
    {
    $user = $_GET['userblock'];
    $modx->user = $modx->getObject('modUser', array(
    'username' => $user,
    ));
    $modx->log(modX::LOG_LEVEL_ERROR, 'Form Data = ' . $user);
    $profile = $modx->user->getOne('Profile');
    $extended = $profile->get('extended');
    $extended['logged'] = 0;  
    $profile->set('extended', $extended);
    $profile->save();
    
    $url = $modx->makeURL('2', 'web', '', 'full'); //redirect to login page
    $modx->sendRedirect($url);
}

return $output;

UPDATE: Oh! yes you completely right, the first session will be still open. Suddenly there is some way to flush a certain user's session automatically??

Re: How to limit one session at a time for a single account?

BobRay — Jan 31, 2019, 06:20 AM

Hi Yulianita. Very nice solution.

For completeness, could you provide the code from resource 21?

What happens if the user forgets to log out and just closes the browser? I don't think MODX would automatically call the login snippet with service='logout'. I could be wrong.

If that proves to be a problem, you could possibly check the last login time and give them a pass if it's been x hours since they last logged in.

Re: How to limit one session at a time for a single account?

nuan88 — Jan 29, 2019, 09:16 PM

Then that's a very elegant solution, thanks for the contribution!

Re: How to limit one session at a time for a single account?

yuliyepes — Jan 29, 2019, 07:10 PM

Quote from: BobRay at Jan 21, 2019, 04:58 AM

@yulianita, You may be correct that my solution using hasSessionContext() wouldn't work. Your preHook looks to me like it should work, since it will only return true if the user is not already logged in. It should be easy to find out if it works. Let us know if it does and maybe I'll do a a blog post on it.

Hi BobRay and nuan88, The code that I share is working and I have not had any problem yet "I hope not have it", I didn't use sessions.

Re: How to limit one session at a time for a single account?

BobRay — Jan 21, 2019, 04:58 AM

@yulianita, You may be correct that my solution using hasSessionContext() wouldn't work. Your preHook looks to me like it should work, since it will only return true if the user is not already logged in. It should be easy to find out if it works. Let us know if it does and maybe I'll do a a blog post on it.

Re: How to limit one session at a time for a single account?

nuan88 — Jan 20, 2019, 11:39 PM

I just found something that could be interesting, its perhaps older code but the core of Modx doesn't change too much so it should still work.

https://gist.github.com/splittingred/1234763

It queries the Modx db for sessions, and it seems to me it could be easily converted to take the query it is already doing, and then checking for the username.

It could save you some time depending on where you are at. Just a random find in github lol