[Yanel-dev] User login - prevent the same user from logging on twice

[Michael Wechner]

Bruno von Rotz wrote:
> For some implementations it's important that the same user can't log 
> on to the system twice.

ok
> For example if there's a subscription based revenue model you don't 
> want to have the same user create two sessions using different 
> computers (cookies).

you mean because of possible fraud? I don't think you can really prevent 
this kind of fraud, because people will
use the same login at different times, but yes, it will be less 
convenient for them

> I see different ways to prevent this or to monitor this:
> a) through the login we can detect whether the same credentials have 
> been used by different computers (cookies) at the same time. Then we 
> can manually or automatically decide to lock the user or to not allow 
> him to log on again

I think this could be through the session, because Yanel knows that such 
a user (per realm) is already signed in (via the session)
and hence could block another session for the same credentials

> b) we can detect at log on time whether the same user is already 
> logged on. I am not sure whether we actually know whether a specific 
> user is already logged on. But we could store additional information 
> to make sure we CAN know

How is (b) different from (a)?
> c) we could also have a "flag" per user to say whether multi-login is 
> allowed, as for some purposes, i.e. testing, it's practical to be able 
> to use the same user many times

generally speaking it would be

- per user
- per realm
- per Yanel instance
> There may be more possibilities.
> What is the best way to go depends on what and how it is already 
> implemented in Yanel.
to start with I would suggest to implement this per Yanel instance, 
which means within
yanel.xml it has a flag to enable this functionality, but to be sure I 
need to analyze it and size the effort.

Cheers

Michi
> Bruno
>
> -
>