This isn't strictly a mod_perl thing but this is probably the safest way to make this happen. This happens to be how I've created a secure (by my definition. correct me if I get something wrong) web application.
Pipe everything through an SSL tunnel The initial logon is username + password. A session id # is incremented and stored on the web client in a cookie. A md5 hash of that session id and a stored secret on the server is also passed to the web client and stored in a cookie. From here on out the web client must present an accurate session id # + md5 hash. While the session # is predictable it is guaranteed to be unique. The hash prevents users from modifying the session# since an attacker would not be able to create the correct hash for other session #s. So from there a user session table only holds one stored session # / hash per username. This would allow one authenticated user to have many open windows but would not allow multiple sessions per user. You can extend this concept to force a user to use only a single browser window though that is pretty draconian. Josh Baljit Sethi <[EMAIL PROTECTED]> 08/01/2002 02:08 PM To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> cc: Subject: [Newbie Q] Cleanest way to implement one logon per user? Hello. I am hoping someone can point me in the right direction. What I want to do is limit client logons to one logon per username ie while a client has a session open, he/she cannot logon to the website from another terminal. Platform: Apache 1.3.x with mod_perl & DBI I have looked high and low, gone through Apache book after book with no measurable success (mod_usertrack & mod_session are the only modules briefly mentioned). If someone could just point me in the right direction, I will gladly do all the required research. TIA, Ballay :)