Feature #6499

Prevent double login

Added by Yannick Warnier over 6 years ago. Updated about 3 years ago.

Feature implemented
Global / Others / Misc
Target version:
Start date:
Due date:
% Done:


Estimated time:
SCRUM pts - complexity:


There have been many discussions (both online and offline) about preventing the same user to login twice at the same time from two different machines.

The issue isn't very easy to solve, because blocking a user based on a specific computer is a bit tricky (IP addresses are only valid if there is no NATting and user agents can be the same), and the logic would be "the first user connecting is the right one", which might not always be correct.

Also, when you want to connect from another computer because the first one has "burnt", for example (or just froze) and you are giving a time-limited exam, having a single-login policy would imply waiting for some time after the session on the other side expired naturally (which is currently something around 30 minutes) to be able to login again, which would clearly but you in a bad situation in an exam...

So if implementing this feature, it should go along a global setting to enable it, to avoid frustration.

In my view, the setting should go into the "Security" section of the configuration settings. Something like:

INSERT INTO settings_current
(variable, subkey, type, category, selected_value, title, comment, scope, subkeytext, access_url_changeable)
('prevent_multiple_logins', NULL, 'radio', 'Security', 'false', 'PreventMultipleSimultaneousLoginTitle', 'PreventMultipleSimultaneousLoginComment', NULL, NULL, 1);

INSERT INTO settings_options (variable, value, display_text)
('prevent_multiple_logins', 'true', 'Yes'),
('prevent_multiple_logins', 'false', 'No');

Then the logic should probably be modified around line 242 of main/inc/ to check the existing ongoing open sessions, and another one should be added to conditional_login() functions called at the beginning of the same script.

I'm setting this for version 1.10 (for which the above will change slightly), but it is not a priority. It is mostly so people wanting to implement it before then (i.e. in 1.9.*) can know where to start.

Associated revisions

Revision c1e17e81 (diff)
Added by jmontoyaa about 3 years ago

Fix block of admin when setting prevent_multiple_simultaneous_login see #6499



Updated by Noa Orizales Iglesias over 6 years ago

The main reason why users ask for this functionality is because they want to avoid multiple users in a pay-per-use course. Users want to ensure that if a course costs 200 € and one user buys it, only that person will be able to access. They want to avoid a second person (that did not pay) from connecting to the course at the same time.


Updated by Luis Cordova about 6 years ago

  • Assignee set to Luis Cordova

Updated by Julio Montoya about 6 years ago

Some comments:

- In 1.10 we don't use main/inc/ any more. We use the SecurityServiceProvider
- The DB changes must be added in


Updated by Noa Orizales Iglesias over 5 years ago

  • Assignee changed from Luis Cordova to Yannick Warnier

Yannick, Can you reasign this task to someone? It seems that Luis Cordova is not developing it. Ask Roberto G. if needed.


Updated by Yannick Warnier over 5 years ago

  • Assignee deleted (Yannick Warnier)

It is still too early to develop this in v10. We first need to clean the SecurityServiceProvider stuff.

The priorities for v10 have not been set correctly yet, but in short we first need to review all drastic database and configuration changes.
After that we can really start with non-core stuff like this one.


Updated by Yannick Warnier almost 4 years ago

  • Assignee set to Nicolas Ducoulombier

Nicolas, I think this task was updated when 1.10 was not really what was released in the end. Could you check the current "prevent_simultaneous_login" setting in 1.10 works, and maybe also in 2.0, to update this task?


Updated by Nicolas Ducoulombier almost 4 years ago

  • Status changed from New to Assigned
  • Assignee changed from Nicolas Ducoulombier to Julio Montoya

In 1.10 and master, the option is present in the administration and there is the code corresponding to what has been developped for 1.9 but it does not work.

The 3 commits are all present but for some reason it does not work anymore.


Updated by Noa Orizales Iglesias about 3 years ago

Can any one tell me what to do with this task, please? Can we close it?


Updated by Yannick Warnier about 3 years ago

  • Assignee changed from Julio Montoya to Angel Quiroz
  • Target version changed from 2.0 to 1.11.0

Asignando a Angel para revisión, pero creo que ya la corregimos.


Updated by Yannick Warnier about 3 years ago

  • Assignee changed from Angel Quiroz to Julio Montoya

Ya Angel tiene muchas cosas :-)


Updated by Julio Montoya about 3 years ago

  • Status changed from Assigned to Needs more info
  • Assignee deleted (Julio Montoya)

Updated by Yannick Warnier about 3 years ago

  • Status changed from Needs more info to Feature implemented
  • % Done changed from 0 to 100

Yup, fix confirmed. Thanks.

Also available in: Atom PDF