> > *Theoretically* I am thinking following : >> >> in pre-login (if I can intercept login attempt) - put a code that checks >> whether user that is trying to login - has already logged in (and not >> logged out yet) If yes, do not allow the login (or somehow forcely >> invalidate "other" session - and allow "this" login attempt to go thru) >> > > Maybe add a session_id field to db.auth_user, and when a user logs in (a) > check that field, and if it has a value, delete the session file associated > with the existing ID (if it exists) and (b) store the new session_id. Note, > this won't work with cookie based sessions -- in that case, you would > instead have to check the session_id value stored in db.auth_user on every > request in order to catch and invalidate the session cookie from the older > session (this adds a db lookup to every request -- might want to cache > these in RAM, though you may need to clean up periodically if there are a > large number of users). > > Also, note that this doesn't protect against session hijacking. It only > protects against multiple simultaneous logins (which would be using > different sessions rather than sharing a single hijacked session). >
And keep in mind that this isn't really a security measure -- if an attacker has obtained the login credentials of a user, you are letting the attacker log in. For this to help with security, you would have to warn the original user about a login taking place from a new client. Anthony > > Anthony > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
