How are you handling your sessions? I use Apache::Session::Postgres.
In my scenario, if I needed to do this, I would check the list of valid
sessions I have for one that exists for the user. ie, if 'gphat' tries to
login, I check to see if any of the sessions the db are for user gphat. If so,
eliminate it and create a new one.
Using an Apache::Session might not be the answer, as you'd have to check each
active session. Depending on the situation, that might not be acceptable.
You could roll your own session handling, it's not that hard. Then add a
username field to the session table, so you can index and search by it.
Hello all,
I'm looking for a straightforward approach to extend our AuthCookie
sessioning to enforce that a user is only logged in from one browser at
a time. For us, it would suffice that if the user tries to log in from
a 2nd browser, the first session would just be expired.
I was thinking that upon login I could save the AuthCookie key in that
user's db entry as current_session_key and I could blank it out when
they explicitly log out. Then during login, I would be able to see if
there's another key still out there for them. The tricky part for me is
figuring out if that key is still an -active- session as opposed to
having just left their browser open last night or something. And also,
if I do determine that it is another active one, how would I expire it?
Anyone done this type of thing previously?
Thanks,
Fran