You could check things like IP address and user agent, but these are imperfect identifiers (generating false positives and false negatives). You should also decide if you really need this level of security, as users may legitimately want to be logged in from multiple places (e.g., from laptop as well as tablet or phone). I'm currently logged into Google Groups from three different devices and would be quite annoyed if I had to keep logging in again when I move between devices.
Anthony On Tuesday, October 14, 2014 2:01:19 PM UTC-4, Mandar Vaze wrote: > > This is related to possible security issue. I've written "privately" to > Massimo and Anthony (in another email on this list - they suggested that > security issues not be discussed "publicly" on this list) > > Lets say UserA logs in successfully from MachineA > now without logging out from MachineA - UserA logs in from MachineB > > Is it possible to either : > not allow login from MachineB (show message that "You are currently logged > in from MachineA - continue to access the application from MachineA, or > logout from MachineA"... or some such message.) > OR > allow login from MachineB - but forcefully log out userA from MachineA > (since login from MachineB was later) > > Either case - UserA is logged in only once from any machine/browser > > I prefer second option - cause the (legitimate) reason why UserA is > logging in from MachineB is because s/he doesn't have access to MachineA > (at this point) > > -Mandar > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
