How to prevent multiple login?

I have finished the Blog tutorial on CakePHP3 document. Now, I want to prevent people who already logged in on a computer from logging in again on the same computer. How can I do that? Thanks.

I did not do this, but i think you will need to process user session.
When user logged in, you mark this user_id as logged with session.
When other one try to login, you check if user_id not marked as logged => allow them login, if marked, prevent.

And what if session would just expire ? User will not be able to log-in again, until this flag will be re-set.
Besides it’s wired - why anyone would like to prevent user to log-in from another location ?

If flag is logged (true), continue check session expired, if expired => set flag to false and allow them to login.
That is.

Lets say that you will log in into system, flag will be set to 1, than you will leave your logged in user idle unless session will expire (will be terminated by web server), which will leave flag value still set to 1. How you are going to check if session for given user has expired ?

I forgot to tell you store session in the database.
Then i believe we can check the flag with session expired.

Which is terrible idea because of many reasons.

I guess so.

How about your idea?

If I would want to prevent users from sharing passwords | accounts - I would use file session storage + redis | memcache | APC (in worst case) used to cache data and to write information about who is logged in already.

2 Likes

Wow, session, redis, memcache, APC… what kind of language is that? Just kidding, but honestly, it seems like a lot of hard works to do. Thanks for you guys’ replies.

The simple trick that you can do is check ‘$this->Auth->user()’ and if this will be true redirect where ever you want. By this the user will never redirect to login page until he logged out.

@aavrug, you have the good answer. If the session expires, $this->Auth->user('id') will return an empty string.

I use it this way in UsersController::beforeFilter():

// Checks if the user is already logged in on login/register actions.
if (in_array($this->request->action, ['register', 'login']) && !empty($this->Auth->user('id'))) {
  throw new ForbiddenException(__('You are already logged in'));
}

I think not enough good.
Prevent multiple login/account/computer not only multiple login/computer.
Then solution is write your own Authenicate extend from BaseAuthenticate and check user id in authenticate function.

If you only check $this->Auth->user('id), they will unable to use other account to login because other account already logged in.

ie: account bob was logged in, then you want to use account ben, you will need check $this->Auth->user() exactly ben or not.

If you use bob and want to log as ben, you have to disconnect first in order to login. because if you try, an exception is thrown.

Thanks @aavrug and @mtancoigne. I believe using $this->Auth->user(‘id’) in controller is enough(to me) to prevent user from multiple login. If the user tries to do multiple login by accessing login page, I will check $this->Auth->user(‘id’) in controller and redirect the user back to Home page.

You realize that Auth stores data in session which is browser specific ? :wink:

Multiple login on other computer or just Check exist auth? I feel, he mean to block login on other computer…, and good idea from mtancoigne store session on database field example ac_session when login check that if false redirect auth and login, and update to true, if true redirect show flash online login, and redirect to login… Try ths brother…

I just do:

if($this->Auth->user()) {
  // Redirect to something else (eg. "my account" page)
}

Simple but effective :slight_smile: