[Yanel-dev] User login - prevent the same user from logging on
twice
Michael Wechner
michael.wechner at wyona.com
Thu Jun 17 10:23:26 CEST 2010
Bruno von Rotz wrote:
> For some implementations it's important that the same user can't log
> on to the system twice.
ok
> For example if there's a subscription based revenue model you don't
> want to have the same user create two sessions using different
> computers (cookies).
you mean because of possible fraud? I don't think you can really prevent
this kind of fraud, because people will
use the same login at different times, but yes, it will be less
convenient for them
> I see different ways to prevent this or to monitor this:
> a) through the login we can detect whether the same credentials have
> been used by different computers (cookies) at the same time. Then we
> can manually or automatically decide to lock the user or to not allow
> him to log on again
I think this could be through the session, because Yanel knows that such
a user (per realm) is already signed in (via the session)
and hence could block another session for the same credentials
> b) we can detect at log on time whether the same user is already
> logged on. I am not sure whether we actually know whether a specific
> user is already logged on. But we could store additional information
> to make sure we CAN know
How is (b) different from (a)?
> c) we could also have a "flag" per user to say whether multi-login is
> allowed, as for some purposes, i.e. testing, it's practical to be able
> to use the same user many times
generally speaking it would be
- per user
- per realm
- per Yanel instance
> There may be more possibilities.
> What is the best way to go depends on what and how it is already
> implemented in Yanel.
to start with I would suggest to implement this per Yanel instance,
which means within
yanel.xml it has a flag to enable this functionality, but to be sure I
need to analyze it and size the effort.
Cheers
Michi
> Bruno
>
> -
>
More information about the Yanel-development
mailing list