> Let me clarify a little - since lot of answer seemed to focus on "MachineA > Vs MachineB" > What I need is "only one valid session from UserA at given point" - so two > sessions - one from Chrome and other from Firefox - both from MachineA - > should be disallowed. (Not sure if it makes problem easy or difficult) >
You still need to be able to distinguish one machine/browser from another in order to know whether a given login request is coming from a different client. The user agent will tell you if a different browser is being used (though it can be spoofed, so this is not a security measure), but that won't help if someone is using the same browser on two different machines (also, what kind of app requires that users should not be able to log in from different browsers on the same machine?). And as already mentioned, there are limitations to using IP address to uniquely identify machines. > *Theoretically* I am thinking following : > > in pre-login (if I can intercept login attempt) - put a code that checks > whether user that is trying to login - has already logged in (and not > logged out yet) If yes, do not allow the login (or somehow forcely > invalidate "other" session - and allow "this" login attempt to go thru) > Maybe add a session_id field to db.auth_user, and when a user logs in (a) check that field, and if it has a value, delete the session file associated with the existing ID (if it exists) and (b) store the new session_id. Note, this won't work with cookie based sessions -- in that case, you would instead have to check the session_id value stored in db.auth_user on every request in order to catch and invalidate the session cookie from the older session (this adds a db lookup to every request -- might want to cache these in RAM, though you may need to clean up periodically if there are a large number of users). Also, note that this doesn't protect against session hijacking. It only protects against multiple simultaneous logins (which would be using different sessions rather than sharing a single hijacked session). Anthony -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
