[web2py] Re: Is it possible to restrict a user to single login instance ?
you should track somewhere that userA from machineA is in there and check when userA logs in from machineB. There's a pretty outstanding issue in your design, though how do you recognize machineA from machineB ? On Tuesday, October 14, 2014 8:01:19 PM UTC+2, Mandar Vaze wrote: This is related to possible security issue. I've written privately to Massimo and Anthony (in another email on this list - they suggested that security issues not be discussed publicly on this list) Lets say UserA logs in successfully from MachineA now without logging out from MachineA - UserA logs in from MachineB Is it possible to either : not allow login from MachineB (show message that You are currently logged in from MachineA - continue to access the application from MachineA, or logout from MachineA... or some such message.) OR allow login from MachineB - but forcefully log out userA from MachineA (since login from MachineB was later) Either case - UserA is logged in only once from any machine/browser I prefer second option - cause the (legitimate) reason why UserA is logging in from MachineB is because s/he doesn't have access to MachineA (at this point) -Mandar -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups web2py-users group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: Is it possible to restrict a user to single login instance ?
You could check things like IP address and user agent, but these are imperfect identifiers (generating false positives and false negatives). You should also decide if you really need this level of security, as users may legitimately want to be logged in from multiple places (e.g., from laptop as well as tablet or phone). I'm currently logged into Google Groups from three different devices and would be quite annoyed if I had to keep logging in again when I move between devices. Anthony On Tuesday, October 14, 2014 2:01:19 PM UTC-4, Mandar Vaze wrote: This is related to possible security issue. I've written privately to Massimo and Anthony (in another email on this list - they suggested that security issues not be discussed publicly on this list) Lets say UserA logs in successfully from MachineA now without logging out from MachineA - UserA logs in from MachineB Is it possible to either : not allow login from MachineB (show message that You are currently logged in from MachineA - continue to access the application from MachineA, or logout from MachineA... or some such message.) OR allow login from MachineB - but forcefully log out userA from MachineA (since login from MachineB was later) Either case - UserA is logged in only once from any machine/browser I prefer second option - cause the (legitimate) reason why UserA is logging in from MachineB is because s/he doesn't have access to MachineA (at this point) -Mandar -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups web2py-users group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: Is it possible to restrict a user to single login instance ?
I agree that this could be annoying, but the request came from customer :) - We are trying to negotiate this down, but in the mean time I would like to be prepared, if this becomes hard requirement. (As I explained - this is also tied to security issue - I'll write to you separately) Anyway - assuming that I decided to add these checks, *where in the flow should these checks go ?* (and prevent login/invalidate the older session) -Mandar On Wednesday, October 15, 2014 1:18:19 AM UTC+5:30, Anthony wrote: You could check things like IP address and user agent, but these are imperfect identifiers (generating false positives and false negatives). You should also decide if you really need this level of security, as users may legitimately want to be logged in from multiple places (e.g., from laptop as well as tablet or phone). I'm currently logged into Google Groups from three different devices and would be quite annoyed if I had to keep logging in again when I move between devices. e Anthony On Tuesday, October 14, 2014 2:01:19 PM UTC-4, Mandar Vaze wrote: This is related to possible security issue. I've written privately to Massimo and Anthony (in another email on this list - they suggested that security issues not be discussed publicly on this list) Lets say UserA logs in successfully from MachineA now without logging out from MachineA - UserA logs in from MachineB Is it possible to either : not allow login from MachineB (show message that You are currently logged in from MachineA - continue to access the application from MachineA, or logout from MachineA... or some such message.) OR allow login from MachineB - but forcefully log out userA from MachineA (since login from MachineB was later) Either case - UserA is logged in only once from any machine/browser I prefer second option - cause the (legitimate) reason why UserA is logging in from MachineB is because s/he doesn't have access to MachineA (at this point) -Mandar -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups web2py-users group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: Is it possible to restrict a user to single login instance ?
Thanks for the pointers. If I decided to add this check - *where in the code/flow should this check go* ? -Mandar On Wednesday, October 15, 2014 1:01:42 AM UTC+5:30, Niphlod wrote: you should track somewhere that userA from machineA is in there and check when userA logs in from machineB. There's a pretty outstanding issue in your design, though how do you recognize machineA from machineB ? On Tuesday, October 14, 2014 8:01:19 PM UTC+2, Mandar Vaze wrote: This is related to possible security issue. I've written privately to Massimo and Anthony (in another email on this list - they suggested that security issues not be discussed publicly on this list) Lets say UserA logs in successfully from MachineA now without logging out from MachineA - UserA logs in from MachineB Is it possible to either : not allow login from MachineB (show message that You are currently logged in from MachineA - continue to access the application from MachineA, or logout from MachineA... or some such message.) OR allow login from MachineB - but forcefully log out userA from MachineA (since login from MachineB was later) Either case - UserA is logged in only once from any machine/browser I prefer second option - cause the (legitimate) reason why UserA is logging in from MachineB is because s/he doesn't have access to MachineA (at this point) -Mandar -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups web2py-users group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: Is it possible to restrict a user to single login instance ?
On Tuesday, October 14, 2014 9:01:19 PM UTC+3, Mandar Vaze wrote: Is it possible to either : not allow login from MachineB (show message that You are currently logged in from MachineA - continue to access the application from MachineA, or logout from MachineA... or some such message.) OR allow login from MachineB - but forcefully log out userA from MachineA (since login from MachineB was later) You need to identify machine a or machine b. This is not a trivial problem - IP address may change because of ISP proxies (false positive) and may be unified because of ISP (e.g. two unrelated people using a mobile connection may come out with the same IP address) . The common solution is to look for a unique cookie you set (e.g. My-Computer-Identifier:) and if it doesn't exist, set it to some random uuid you generate. Then, allow just one such cookie to be acceptable at the same time. If a different cookie arrives, either refuse or require a new login and replace it. But note that this is also not foolproof - some browser syncing extensions will sync cookies as well. -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups web2py-users group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
