Limit concurrent logins


As Elgg is it's possible to use the same account and login as many times you want at the same time.

Is there some way to limit that to 2 or 3?

The reason is I want to limit misuse of accounts.

  • core uses function login() with no validation. proibably need to code a login hook to check - maybe against (plugin) metadata or session (tbl) data to validate multiple counts and then allow or block..


  • Hi Dhrup

    Thanks, I'll have to hook into login - so far so good... Problem is how to check session, and allow for say 2 simultanious logins (for couple profiles).

    Maybe a core developer can enlighten me? :-)

  • maybe easier to :-
    hook into login (@top priority),
    store (increment counter) metadata for userid @ login time;
    then at each login --
    fetch that metadata and check how many logins ?
    if > 3 --> error! else ok continue..
    and @logout -> decrement counter.


  • In an ideal world that would be okay, but I see users who never logout.

    For those it would be impossible to login in at another location because their netadata says they already are logged in. To fix that I would need to somehow force the old session to close/logout.

  • You could track login sessions with a timestamp instead of an int. For example, put an annotation on the user called "login_time" and make the value the current time stamp. When logging in, use elgg_get_annotations() to get annotations named "login_time" for the user with a value that's within 6 hours or something. That will give you how many times they logged in over the last 6 hours.

    To keep your annotations table trim, you should also set up a cron job to delete annotations older than a day (or whatever).

  • Also an option is to only allow one single session (per user) to be active. A new login than should invalidate other sessions. Just store last_login in $SESSION as a specific variable and check it against $user->last_login to invalidate (logout) the current session if you have been logged in somewhere else.

  • @Brett - There are some nice things about your idea, except I maybe would do it all as metadata on the user, like a serialized array stored in metadata.

    @Jeroen - that's not bad, except when it's a couple profile - that's why I would allow for 2 concurrent logins.