Hi,
As Elgg is it's possible to use the same account and login as many times you want at the same time.
Is there some way to limit that to 2 or 3?
The reason is I want to limit misuse of accounts.
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
- DhrupDeScoop@Dhrup2000
DhrupDeScoop - 0 likes
- slyhne@slyhne
slyhne - 0 likes
- DhrupDeScoop@Dhrup2000
DhrupDeScoop - 0 likes
- slyhne@slyhne
slyhne - 0 likes
- Brett@brett.profitt
Brett - 0 likes
- Jeroen Dalsem@jdalsem
Jeroen Dalsem - 0 likes
- slyhne@slyhne
slyhne - 0 likes
You must log in to post replies.core uses function login() with no validation. proibably need to code a login hook to check - maybe against (plugin) metadata or session (tbl) data to validate multiple counts and then allow or block..
Hi Dhrup
Thanks, I'll have to hook into login - so far so good... Problem is how to check session, and allow for say 2 simultanious logins (for couple profiles).
Maybe a core developer can enlighten me? :-)
maybe easier to :-
hook into login (@top priority),
store (increment counter) metadata for userid @ login time;
then at each login --
fetch that metadata and check how many logins ?
if > 3 --> error! else ok continue..
and @logout -> decrement counter.
In an ideal world that would be okay, but I see users who never logout.
For those it would be impossible to login in at another location because their netadata says they already are logged in. To fix that I would need to somehow force the old session to close/logout.
You could track login sessions with a timestamp instead of an int. For example, put an annotation on the user called "login_time" and make the value the current time stamp. When logging in, use elgg_get_annotations() to get annotations named "login_time" for the user with a value that's within 6 hours or something. That will give you how many times they logged in over the last 6 hours.
To keep your annotations table trim, you should also set up a cron job to delete annotations older than a day (or whatever).
Also an option is to only allow one single session (per user) to be active. A new login than should invalidate other sessions. Just store last_login in $SESSION as a specific variable and check it against $user->last_login to invalidate (logout) the current session if you have been logged in somewhere else.
@Brett - There are some nice things about your idea, except I maybe would do it all as metadata on the user, like a serialized array stored in metadata.
@Jeroen - that's not bad, except when it's a couple profile - that's why I would allow for 2 concurrent logins.