This isn't strictly a mod_perl thing but this is probably the safest way
to make this happen. This happens to be how I've created a secure (by my
definition. correct me if I get something wrong) web application.
Pipe everything through an SSL tunnel
The initial logon is username + password. A session id # is incremented
and stored on the web client in a cookie. A md5 hash of that session id
and a stored secret on the server is also passed to the web client and
stored in a cookie. From here on out the web client must present an
accurate session id # + md5 hash. While the session # is predictable it is
guaranteed to be unique. The hash prevents users from modifying the
session# since an attacker would not be able to create the correct hash
for other session #s.
So from there a user session table only holds one stored session # / hash
per username. This would allow one authenticated user to have many open
windows but would not allow multiple sessions per user. You can extend
this concept to force a user to use only a single browser window though
that is pretty draconian.
Josh
Baljit Sethi <[EMAIL PROTECTED]>
08/01/2002 02:08 PM
To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
cc:
Subject: [Newbie Q] Cleanest way to implement one logon per user?
Hello.
I am hoping someone can point me in the right direction.
What I want to do is limit client logons to one logon per username ie
while a client has a session open, he/she cannot logon to the website from
another terminal.
Platform: Apache 1.3.x with mod_perl & DBI
I have looked high and low, gone through Apache book after book with no
measurable success (mod_usertrack & mod_session are the only modules
briefly mentioned).
If someone could just point me in the right direction, I will gladly do
all the required research.
TIA,
Ballay :)
