Ensure single session per user

Hey Everyone,

I would like to add the ability to control that a single user can be
logged in only once. In other words, if User “A” logs in and then
another person with User “A” credentials logs in, it will destroy the
session of the first session and log them out. As far as the security
of the matter goes, I’d rather that the correct owner of User “A” with
valid access to email, reset their password so the other person will not
have access.
I am using restful_auth. plugin with the standard for the session
controller. I am using the DB session if that mattters. I’d like to
know if there is a built in method or before_filter available or if
someone has already come up with a solution to make this possible.

Thank you for your help in advance!

Nick

On Wed, Feb 17, 2010 at 3:19 PM, Nick G. [email protected] wrote:

someone has already come up with a solution to make this possible.
Sessions are serialised (can’t be queried with ordinary SQL) and
handled by Rails, they may belong to anonymous users also depending on
the application. I wouldn’t touch sessions themselves. A simple
approach would be to add a session_id fk to your users table.

Let’s say persons p, q have credentials for account A. Let’s say p is
logged in.

When user q logs in, since session_id is not null (it has p’s session
ID) and it is different than q’s session ID, you just delete the
session record of p, assign the current session ID to session_id, and
save current_user.

When p comes back, the session with the session_id in his cookie is
gone, he’s been logged out.

But the logic is a bit strange, now p can log in again thus logging q
out back. Wouldn’t you prefer that q cannot log in while p has a
session? What is you current rationale?

Any code examples available? Any links for me to checkout their method?
Hopefully it’s simple with Restful Auth.

My current rationale for allowing the second person to bump the first
person is to get them annoyed enough for them to have 2 separate user
accounts as well as making sure that same user can’t be logged in on two
different browsers. If users are locked out because they left a
browser open on a different computer and require me to remove their
session, that would be a nightmare for me. To have a session timeout
would also be a pain for them as they have a certain way they would like
to work with the system. This seems to be the only way.

Thank you for your help,

Nick

Nick G. wrote:

My current rationale for allowing the second person to bump the first
person is to get them annoyed enough for them to have 2 separate user

Well, I hope you have a captive audience. The first time a site
“annoyed” me in the manner would be the last time I’d use the site. If I
had any choice in the matter anyway.

On Wed, Feb 17, 2010 at 7:03 PM, Nick G. [email protected] wrote:

Any code examples available? Any links for me to checkout their method?
Hopefully it’s simple with Restful Auth.

You basically need to create a Session model to manage the existing
sessions table with AR.

Then, write a filter that implements that logic I explained in the
previous mail. Put that filter after the one that checks for logged in
users, so you have a current_user.

If you redirect upon a successful login you’re done (modulus this is
all off the top of my head).

Robert W. wrote:

Nick G. wrote:

My current rationale for allowing the second person to bump the first
person is to get them annoyed enough for them to have 2 separate user

Well, I hope you have a captive audience. The first time a site
“annoyed” me in the manner would be the last time I’d use the site. If I
had any choice in the matter anyway.

I do have a very exclusive market for my site as this is really a
project for a very niche market for a larger company. The annoyance
factor is to prevent them from hurting themselves by creating a single
user account for their office and just entering all the data by several
different people at the same time and then reporting against that. Not
good.

I need help with a code example. Thank you for the help, but I need
help with a visual example so I can see how it’s done.

Thank you,

Nick

Nick G. wrote:

Robert W. wrote:

Nick G. wrote:

My current rationale for allowing the second person to bump the first
person is to get them annoyed enough for them to have 2 separate user

Well, I hope you have a captive audience. The first time a site
“annoyed” me in the manner would be the last time I’d use the site. If I
had any choice in the matter anyway.

I do have a very exclusive market for my site as this is really a
project for a very niche market for a larger company. The annoyance
factor is to prevent them from hurting themselves by creating a single
user account for their office and just entering all the data by several
different people at the same time and then reporting against that. Not
good.

If users will be “hurting themselves”, then they won’t do it. If you
annoy your users, you will lose your users. I totally agree with Robert
here.

In other words: provide obvious rewards for doing it the right way.
Don’t provide deliberate annoyance for doing it the wrong way.

I need help with a code example. Thank you for the help, but I need
help with a visual example so I can see how it’s done.

Just don’t.

Thank you,

Nick

Best,

Marnen Laibow-Koser
http://www.marnen.org
[email protected]

Marnen Laibow-Koser wrote:

Nick G. wrote:

Robert W. wrote:

Nick G. wrote:

My current rationale for allowing the second person to bump the first
person is to get them annoyed enough for them to have 2 separate user

Well, I hope you have a captive audience. The first time a site
“annoyed” me in the manner would be the last time I’d use the site. If I
had any choice in the matter anyway.

I do have a very exclusive market for my site as this is really a
project for a very niche market for a larger company. The annoyance
factor is to prevent them from hurting themselves by creating a single
user account for their office and just entering all the data by several
different people at the same time and then reporting against that. Not
good.

If users will be “hurting themselves”, then they won’t do it. If you
annoy your users, you will lose your users. I totally agree with Robert
here.

In other words: provide obvious rewards for doing it the right way.
Don’t provide deliberate annoyance for doing it the wrong way.

I need help with a code example. Thank you for the help, but I need
help with a visual example so I can see how it’s done.

Just don’t.

Thank you,

Nick

Best,

Marnen Laibow-Koser
http://www.marnen.org
[email protected]
Guys, my question is regarding how to do this not what do you think
about the way I am going about it. I was asked the reason and I gave
it. The annoyance factor is considered a feature and the application is
NOT FOR MAIN STREAM USE. So, can any one assist me?

Thank you,

Nick

Xavier N. wrote:

Nick do you have any experience with Rails? Is there some point in my
explanation that it is not clear?

Xavier. Thank you for your reply. I appreciate your help. I do have
experience with Rails and could spend the time right now building based
upon your suggestion. I too have thought of adding something to the
user’s table and putting a model on the session. I think doing that
would be a bad thing to do in my opinion. Some others my think it’s not
a big deal.

Instead, I was hoping that there is an example out there that is built
upon Restful Auth. The example could be about locking out the next user
that tries to log in. It doesn’t matter because I get an idea of how to
change it to make it work the way I would like it to work.

Thank you, again.

Nick do you have any experience with Rails? Is there some point in my
explanation that it is not clear?

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs