Thanks for the pointers. If I decided to add this check - *where in the code/flow should this check go* ?
-Mandar On Wednesday, October 15, 2014 1:01:42 AM UTC+5:30, Niphlod wrote: > > you should track somewhere that userA from machineA is in there and check > when userA logs in from machineB. > There's a pretty outstanding issue in your design, though.... how do you > recognize machineA from machineB ? > > On Tuesday, October 14, 2014 8:01:19 PM UTC+2, Mandar Vaze wrote: >> >> This is related to possible security issue. I've written "privately" to >> Massimo and Anthony (in another email on this list - they suggested that >> security issues not be discussed "publicly" on this list) >> >> Lets say UserA logs in successfully from MachineA >> now without logging out from MachineA - UserA logs in from MachineB >> >> Is it possible to either : >> not allow login from MachineB (show message that "You are currently >> logged in from MachineA - continue to access the application from MachineA, >> or logout from MachineA"... or some such message.) >> OR >> allow login from MachineB - but forcefully log out userA from MachineA >> (since login from MachineB was later) >> >> Either case - UserA is logged in only once from any machine/browser >> >> I prefer second option - cause the (legitimate) reason why UserA is >> logging in from MachineB is because s/he doesn't have access to MachineA >> (at this point) >> >> -Mandar >> > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
