Thanks for all the feedback guys, I think the bumping technique described by Jim and Josh will work best for me in this situation. Although it would be niec to have a bullet proof login where simultaneous logins are denied, sessions end on browser close or disconnect and users can log back in without waiting for a session to timeout...maybe in CF9.
-----Original Message----- From: Jim Davis [mailto:[EMAIL PROTECTED] Sent: Thursday, June 21, 2007 2:38 PM To: CF-Talk Subject: Re: How to Prevent Simultaneous Login / Session Management >I know I can prevent any simultaneous logins by simply flagging the account >as "logged in" when a user logins. However, if the user closes the browser >or is disconnected without properly logging out, how would I go about >allowing them to log back in? Since as far as I know, the server and >database would therefore have no way of knowing the user disconnected and >would still see the user as logged in. I thought OnSessionEnd would do the >trick, but as was pointed out to me on this list OnSessionEnd only runs when >the session expires, not when the user disconnects. Any ideas are much >appreciated, thanks. Forgetting the actual coding involved there are at least two schools of thought on this. +) Token-Based Refusal In this style you'd store a token (as simple as an IP address but you might also include User Agent or anything else you can get your hands on or place a GUID in a cookie) along with the "logged in" status. When another login is attempted using the same credentials you'd compare the information: if it's the same you'd allow the access. If the user accidentally closes the browser they still have to log in, but if the info matches they get in immediately. It isn't perfect (far from it) but it works well enough. One issue is how to mange the information: you can't keep it forever (or else you'd be tying use of the application to a single computer). Often you might manage this by having the information valid only as long as long as the session is (that way whether or not it's the same person logging in there's no conflict). But you still might run into problems. +) Bumping This is the system adopted by many Instant Messaging systems: a new logon will kill a current log on. The message "You have logged in on another computer" epitomizes it. The session from the old computer is eliminated completely and the new session becomes the "real" one. This honestly annoys me with IM but you'd have to review the idea with your audience in mind. If there are actually two people trying to use the same account this can result in a tug-of-war with the credential rights, but that might be what you want. Both methods assume that you a) know the details of your user's status (know whose logged in) and b) can affect that status in some way. If the existence of a session implies a login then you've lost control for example. This usually means implementation of some kind of "logged in queue" or the like. Once you can interrogate whose logged in and modify that status either of these options become much simpler to implement. Jim Davis ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| ColdFusion 8 beta â Build next generation applications today. Free beta download on Labs http://www.adobe.com/cfusion/entitlement/index.cfm?e=labs_adobecf8_beta Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:281845 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
