Thanks Anthony. I think I like the sound of your last suggestion. I'm going to try that one out.
On Tuesday, February 4, 2014 10:16:46 AM UTC-5, Anthony wrote: > > Note, this can be tricky. It is difficult to explicitly log out a user in > one session based on a login within a different session. This is because > technically sessions do not expire, so it's not easy to know if another > login is still active, and it's also difficult to find a given session > file/db record (outside of requests made by that session). > > One simple approach might be the following. Add a "current_ip" field to > the auth_user table. When a user logs in, put the value of request.client > in that field. Not tested, but something like: > > auth.settings.login_onaccept.append(lambda form: > db.auth_user(auth.user_id).update_record(current_ip=request.client)) > > Then, on every subsequent request, check to make sure request.client > equals the value in the current_ip field. Something like: > > @auth.requires(lambda: db.auth_user(auth.user_id).current_ip == request. > client) > > So, a user logs in from machine A, and the machine A ip address is stored > in current_ip. Then a user logs in from machine B with the same account, so > the machine B ip address is stored in current_ip. At that point, if machine > A makes another request, its request.client will no longer match > current_ip, so access will be denied (until the user on machine A logs out > and logs back in, which will then prevent machine B from further access). > > The downside of this approach is that it requires a database query on > every request to check the ip address. > > An alternative would be upon login, check the auth_event table for logins > of the same user within some recent time period (e.g., the last 24 hours). > Then grab the ip addresses of those logins (which are stored in > db.auth_event.client_ip). Then find all of the sessions whose file names > (or session ID's if stored in the database) start with any of those ip > addresses (excluding the ip address of the current request, of course). > Then check each of those sessions to see if they include an "auth" object > for the current user, and if so, delete that "auth" object from the session > (or simply delete the session entirely). This is a bit more complicated and > CPU/IO intensive, but it only happens upon login, not on every request. > Also, it won't work with cookie based sessions. > > Anthony > > On Tuesday, February 4, 2014 1:41:52 AM UTC-5, DeanK wrote: >> >> I've been searching around trying to figure out how to do this without >> success. I need to enforce only a single login per user. Out of the box >> you can login using the same credentials from different computers, but I >> need logging in on a different computer to terminate the session of the >> first log in. Is this possible? I found some posts that hinted at using >> session.connect, but then i couldn't find "check_client" in the ebook...and >> it didn't seem to work when i tested it. >> >> >> ## Limit single user sessions >> session.connect(request,response,check_client=True) >> >> Any tips would be appreciated. Thanks, >> >> Dean >> > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
