Prevent double login
There have been many discussions (both online and offline) about preventing the same user to login twice at the same time from two different machines.
The issue isn't very easy to solve, because blocking a user based on a specific computer is a bit tricky (IP addresses are only valid if there is no NATting and user agents can be the same), and the logic would be "the first user connecting is the right one", which might not always be correct.
Also, when you want to connect from another computer because the first one has "burnt", for example (or just froze) and you are giving a time-limited exam, having a single-login policy would imply waiting for some time after the session on the other side expired naturally (which is currently something around 30 minutes) to be able to login again, which would clearly but you in a bad situation in an exam...
So if implementing this feature, it should go along a global setting to enable it, to avoid frustration.
In my view, the setting should go into the "Security" section of the configuration settings. Something like:
INSERT INTO settings_current (variable, subkey, type, category, selected_value, title, comment, scope, subkeytext, access_url_changeable) VALUES ('prevent_multiple_logins', NULL, 'radio', 'Security', 'false', 'PreventMultipleSimultaneousLoginTitle', 'PreventMultipleSimultaneousLoginComment', NULL, NULL, 1); INSERT INTO settings_options (variable, value, display_text) VALUES ('prevent_multiple_logins', 'true', 'Yes'), ('prevent_multiple_logins', 'false', 'No');
Then the logic should probably be modified around line 242 of main/inc/local.inc.php to check the existing ongoing open sessions, and another one should be added to conditional_login() functions called at the beginning of the same script.
I'm setting this for version 1.10 (for which the above will change slightly), but it is not a priority. It is mostly so people wanting to implement it before then (i.e. in 1.9.*) can know where to start.
Updated by Noa Orizales Iglesias about 6 years ago
The main reason why users ask for this functionality is because they want to avoid multiple users in a pay-per-use course. Users want to ensure that if a course costs 200 € and one user buys it, only that person will be able to access. They want to avoid a second person (that did not pay) from connecting to the course at the same time.
Updated by Yannick Warnier about 5 years ago
- Assignee deleted (
It is still too early to develop this in v10. We first need to clean the SecurityServiceProvider stuff.
The priorities for v10 have not been set correctly yet, but in short we first need to review all drastic database and configuration changes.
After that we can really start with non-core stuff like this one.
Updated by Yannick Warnier over 3 years ago
- Assignee set to Nicolas Ducoulombier
Nicolas, I think this task was updated when 1.10 was not really what was released in the end. Could you check the current "prevent_simultaneous_login" setting in 1.10 works, and maybe also in 2.0, to update this task?
Updated by Nicolas Ducoulombier over 3 years ago
- Status changed from New to Assigned
- Assignee changed from Nicolas Ducoulombier to Julio Montoya
In 1.10 and master, the option is present in the administration and there is the code corresponding to what has been developped for 1.9 but it does not work.
The 3 commits are all present but for some reason it does not work anymore.
Updated by Julio Montoya almost 3 years ago
- Status changed from Assigned to Needs more info
- Assignee deleted (
Acabo de corregirlo (bloqueo del admin)