Limiting the number of same user simultaneous sessions

[demilson]

Hi there!

First I want to say a big thanks for the developers of US. It is a great framework!

I have one question: is there any internal variable and/or function which could help me implement the following:

I want to limit the number of an user's simultaneous sessions to just 1(one).

Explaining: a user logged in from a "device one". If this user decides to log in using another "device two" without a previous log off from "pc one", I want to close the session in "pc one" automatically.

PS: the idea of forbid the user to login another session before his previous session be closed isn't practical.

Thank you all for the great job.

Demilson

[Brandin]

Hi @demilson,

We're actively working on a new feature called Session Management that was deployed to the most recent UserSpice version (4.3.23) but it is possible there is a bug in it and your users will be logged out when the API is called. A couple things to make sure:

Code:

users/api/index.php

is in your admin_pages.php list
Session Management is enabled on admin.php.

Then what you can do is in the script during user login, you would run a query to expire all other active sessions, which is done by an UPDATE query where fkUserId (it may be Users) = $user->data()->id and set the session_expirationtime to now and session_expiration to 1.

Let me know if you need any help, and I'd love to get your feedback on this feature.

Please test it heavily prior to production use.

Brandin.

[demilson]

Thank you very much, Brandin!

I will study your suggestion and keep you informed about my progress.



Demilson

[demilson]

Dear Brandin,

I just upgraded to the most recent version: 4.3.23 . Everything went well during the updated process.

Now, I'm back thinking how to limit the user's logged session number to just 1.

I just found the custom_login_script.php and seems to be a good place to put something like this:

$db->query("UPDATE us_user_sessions SET UserSessionEnded=1,UserSessionEnded_Time=NOW() WHERE UserSessionEnded=0 AND kUserSessionID <> ?",[$_SESSION['kUserSessionID']]);

What do you think?

Thank you!

Demilson

[Brandin]

Looks good to me. Test it out-there is a chance it won't work since I do not recall if the Session is generated before or after the custom login script-we'll have to look into it.

[demilson]

Hi Brandin!

It seems I achieved the solution. Just added the following in the file custom_login_script.php and a user wont be able to login in more than one time simultaneously. To test: open a session in one device and, then, try to login another session (same user, of course) from another device or even from an browser private navigation window.

<?php
//Whatever you put here will happen after the username and password are verified and the user is "technically" logged in, but they have not yet been redirected to their starting page. This gives you access to all the user's data through $user->data()

$db->query("UPDATE us_user_sessions SET UserSessionEnded=1,UserSessionEnded_Time=NOW() WHERE UserSessionEnded=0 AND fkUserID=?", [$_SESSION['user']]);

Redirect::to($us_url_root.'users/account.php');
?>

Please, could you verify if the way I did to logoff previously opened session is "a nice one"?

Thank you!

Demilson

PS: I've just found the file oauth_success_redirect.php inside userc/includes . Should I use it instead of custom_login_script.php ?

[Brandin]

Hi Demilson,

Thanks for your reply. Glad to here it worked.

Can you please elaborate on the "a nice one"? If you're just referencing the query, I would say it is fine.

Wise of the redirect, that is only a redirect for using FB and Google OAuth, which actually I don't even think is controlled from there anymore (I think thats just a failsafe maybe?)

Brandin.

[demilson]

Hi Brandin!

It seems I achieved the solution. Just added the following in the file custom_login_script.php and a user wont be able to login in more than one time simultaneously. To test: open a session in one device and, then, try to login another session (same user, of course) from another device or even from an browser private navigation window.

<?php
//Whatever you put here will happen after the username and password are verified and the user is "technically" logged in, but they have not yet been redirected to their starting page. This gives you access to all the user's data through $user->data()

$db->query("UPDATE us_user_sessions SET UserSessionEnded=1,UserSessionEnded_Time=NOW() WHERE UserSessionEnded=0 AND fkUserID=?", [$_SESSION['user']]);

Redirect::to($us_url_root.'users/account.php');
?>

......

Here i'm again:

I'm trying the latest US version, great improvements!

My only complaint: I found the mod I had implemented to not allow more than one session open simultaneously isn't working anymore. I just tried adding the above code as I did before in the custom_login_script.php file.

Isn't it compatible anymore?

Thank you!

Demilson

[mudmin]

Is session management turned on in the dashboard?

[mudmin]

Sorry. It took me a second. Try this in usersc/scripts/custom_login_script.php
$sessions = fetchUserSessions();
if($sessions){
$count = count($sessions);
if($count > 1){
$sessions = array_reverse($sessions);
foreach($sessions as $k=>$v){
if($k != 0){
killSessions($sessions[$k]);
}
}
}
}