I agree that this could be annoying, but the request came from "customer" :) - We are trying to negotiate this down, but in the mean time I would like to be prepared, if this becomes "hard" requirement. (As I explained - this is also tied to security issue - I'll write to you separately)
Anyway - assuming that I decided to add these checks, *where in the "flow" should these checks go ?* (and prevent login/invalidate the older session) -Mandar On Wednesday, October 15, 2014 1:18:19 AM UTC+5:30, Anthony wrote: > > You could check things like IP address and user agent, but these are > imperfect identifiers (generating false positives and false negatives). You > should also decide if you really need this level of security, as users may > legitimately want to be logged in from multiple places (e.g., from laptop > as well as tablet or phone). I'm currently logged into Google Groups from > three different devices and would be quite annoyed if I had to keep logging > in again when I move between devices. > e > Anthony > > On Tuesday, October 14, 2014 2:01:19 PM UTC-4, Mandar Vaze wrote: >> >> This is related to possible security issue. I've written "privately" to >> Massimo and Anthony (in another email on this list - they suggested that >> security issues not be discussed "publicly" on this list) >> >> Lets say UserA logs in successfully from MachineA >> now without logging out from MachineA - UserA logs in from MachineB >> >> Is it possible to either : >> not allow login from MachineB (show message that "You are currently >> logged in from MachineA - continue to access the application from MachineA, >> or logout from MachineA"... or some such message.) >> OR >> allow login from MachineB - but forcefully log out userA from MachineA >> (since login from MachineB was later) >> >> Either case - UserA is logged in only once from any machine/browser >> >> I prefer second option - cause the (legitimate) reason why UserA is >> logging in from MachineB is because s/he doesn't have access to MachineA >> (at this point) >> >> -Mandar >> > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
