On Wed, Feb 17, 2010 at 3:19 PM, Nick Gins <li...@ruby-forum.com> wrote:
> I would like to add the ability to control that a single user can be > logged in only once. In other words, if User "A" logs in and then > another person with User "A" credentials logs in, it will destroy the > session of the first session and log them out. As far as the security > of the matter goes, I'd rather that the correct owner of User "A" with > valid access to email, reset their password so the other person will not > have access. > I am using restful_auth. plugin with the standard for the session > controller. I am using the DB session if that mattters. I'd like to > know if there is a built in method or before_filter available or if > someone has already come up with a solution to make this possible. Sessions are serialised (can't be queried with ordinary SQL) and handled by Rails, they may belong to anonymous users also depending on the application. I wouldn't touch sessions themselves. A simple approach would be to add a session_id fk to your users table. Let's say persons p, q have credentials for account A. Let's say p is logged in. When user q logs in, since session_id is not null (it has p's session ID) and it is different than q's session ID, you just delete the session record of p, assign the current session ID to session_id, and save current_user. When p comes back, the session with the session_id in his cookie is gone, he's been logged out. But the logic is a bit strange, now p can log in again thus logging q out back. Wouldn't you prefer that q cannot log in while p has a session? What is you current rationale? -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-t...@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.