Note, this can be tricky. It is difficult to explicitly log out a user in
one session based on a login within a different session. This is because
technically sessions do not expire, so it's not easy to know if another
login is still active, and it's also difficult to find a given session
(outside of requests made by that user).
One simple approach might be the following. Add a "current_ip" field to the
auth_user table. When a user logs in, put the value of request.client in
that field. Not tested, but something like:
auth.settings.login_onaccept.append(lambda form:
db.auth_user(auth.user_id).update_record(current_ip=request.client))
Then, on every subsequent request, check to make sure request.client equals
the value in the current_ip field. Something like:
@auth.requires(lambda: db.auth_user(auth.user_id).current_ip == request.
client)
So, a user logs in from machine A, and the machine A ip address is stored
in current_ip. Then a user logs in from machine B with the same account, so
the machine B ip address is stored in current_ip. At that point, if machine
A makes another request, its request.client will no longer match
current_ip, so access will be denied (until the user on machine A logs out
and logs back in, which will then prevent machine B from further access).
The downside of this approach is that it requires a database query on every
request to check the ip address.
An alternative would be upon login, check the auth_event table for logins
of the same user within some recent time period (e.g., the last 24 hours).
Then grab the ip addresses of those logins (which are stored in
db.auth_event.client_ip). Then find all of the sessions whose file names
(or session ID's if stored in the database) start with any of those ip
addresses (excluding the ip address of the current request, of course).
Then check each of those sessions to see if they include an "auth" object
for the current user, and if so, delete that "auth" object from the session
(or simply delete the session entirely). This is a bit more complicated and
CPU/IO intensive, but it only happens upon login, not on every request.
Also, it won't work with cookie based sessions.
Anthony
On Tuesday, February 4, 2014 1:41:52 AM UTC-5, DeanK wrote:
>
> I've been searching around trying to figure out how to do this without
> success. I need to enforce only a single login per user. Out of the box
> you can login using the same credentials from different computers, but I
> need logging in on a different computer to terminate the session of the
> first log in. Is this possible? I found some posts that hinted at using
> session.connect, but then i couldn't find "check_client" in the ebook...and
> it didn't seem to work when i tested it.
>
>
> ## Limit single user sessions
> session.connect(request,response,check_client=True)
>
> Any tips would be appreciated. Thanks,
>
> Dean
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
