RE: How to prevent multiple logins
If you use session variables to log them in, you can read all information stored in the session scope and compare the login names with whats already in the session. I used something just like this to count how many users were logged in, who was logged in, how many were administrators, how many were normal users. And how many people were just looking at the page but not logged in. Look into coldfusion.runtime.SessionTracker _ From: Tim Do [mailto:[EMAIL PROTECTED] Sent: Thursday, October 14, 2004 3:32 PM To: CF-Talk Subject: How to prevent multiple logins How would I go about preventing multiple logins w/ the same username and password? I'm currently using client variables for this. I tried checking the data field in CDATA but not having any luck. If a user does not log out and just closes the window or the session is timed out, there is still a record in CFDATA w/ the user's username. How do other sites prevent this?? Thanks _ [HYPERLINK "http://www.houseoffusion.com/lists.cfm/link=t:4"Todays Threads] [HYPERLINK "http://www.houseoffusion.com/lists.cfm/link=i:4:181520"This Message] [HYPERLINK "http://www.houseoffusion.com/lists.cfm/link=s:4"Subscription] [HYPERLINK "http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=678.598.4"Fast Unsubscribe] [HYPERLINK "http://www.houseoffusion.com/signin/"User Settings] [HYPERLINK "https://www.paypal.com/cgi-bin/webscr?amount=&item_name=House+of+Fusion&bus iness=donations%40houseoffusion.com&undefined_quantity=&cmd=_xclick"Donation s and Support] _ HYPERLINK "http://www.houseoffusion.com/banners/view.cfm?bannerid=38" \n --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.775 / Virus Database: 522 - Release Date: 10/8/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.775 / Virus Database: 522 - Release Date: 10/8/2004 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
RE: How to prevent multiple logins
My argument isn't for me, but for the average user. They don't know the different between opening another instance of IE versus a new window of the same instance. John -Original Message- From: Matt Robertson [mailto:[EMAIL PROTECTED] Sent: Friday, October 15, 2004 1:29 PM To: CF-Talk Subject: Re: How to prevent multiple logins Not sure I get what you mean by lost accidentally. Adding an onscreen note to the logged-off individual effectively takes care of help desk issues. "You have been logged off because another user has logged on with your credentials at another workstation. You may wish to call Security, or your mommy, or both" Then the admins, if informed of the dupe login, can use their who's on viewer to see where the other workstation is, or force them off the system immediately themselves via an administrative logoff. Thats assuming a high-security environment. Generally it just means the user says 'oops', or comes back to their previous wkstn and says 'oops' and closes the window. As for 2-browsers-one-login, that shouldn't be a problem. You just open a link in a new window (or your app does it automatically). A user still has his/her identical cfid and cftoken per workstation, be it a stored or session cookie (unless they close all windows, in which case they have a new problem). I dropped using session cookies from my system default for this reason. Too much of a pain, but I let the developer select it if they are a glutton for punishment. You ought to look at a tabbed browser for multiple windows. Been using NetCaptor for years, but MaxThon is arguably better and free, and then there's FireFox. -- --Matt Robertson-- President, Janitor MSB Designs, Inc. mysecretbase.com [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: How to prevent multiple logins
Barney Boisvert wrote: > Give them a nice message that says someone else logged in with their > credendials, and they need to do something about it. I think it all depends on what you want from your app. For some, like a commercial membership site, that would probably be undesirable. Others may want the second login refused flat-out, with security alerts going out to all points. -- --Matt Robertson-- President, Janitor MSB Designs, Inc. mysecretbase.com [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: How to prevent multiple logins
Not sure I get what you mean by lost accidentally. Adding an onscreen note to the logged-off individual effectively takes care of help desk issues. "You have been logged off because another user has logged on with your credentials at another workstation. You may wish to call Security, or your mommy, or both" Then the admins, if informed of the dupe login, can use their who's on viewer to see where the other workstation is, or force them off the system immediately themselves via an administrative logoff. Thats assuming a high-security environment. Generally it just means the user says 'oops', or comes back to their previous wkstn and says 'oops' and closes the window. As for 2-browsers-one-login, that shouldn't be a problem. You just open a link in a new window (or your app does it automatically). A user still has his/her identical cfid and cftoken per workstation, be it a stored or session cookie (unless they close all windows, in which case they have a new problem). I dropped using session cookies from my system default for this reason. Too much of a pain, but I let the developer select it if they are a glutton for punishment. You ought to look at a tabbed browser for multiple windows. Been using NetCaptor for years, but MaxThon is arguably better and free, and then there's FireFox. -- --Matt Robertson-- President, Janitor MSB Designs, Inc. mysecretbase.com [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: How to prevent multiple logins
There's not reason you have to just kill the first user's session. Give them a nice message that says someone else logged in with their credendials, and they need to do something about it. The 2 browser issue isn't an issue if they're instances of the same browser, becaue they'll share a session, not be two separate logins. "Same browser" meaning a single load of the executable by the OS, not just both IE or both FF. cheers, barneyb On Fri, 15 Oct 2004 13:04:47 -0400, Burns, John D <[EMAIL PROTECTED]> wrote: > But what if the login information is lost accidentally? I agree that > the app may dictate anything, but it seems the helpdesk overhead with > handling issues of "I got logged out for no reason" would outweigh the > need for one login per user. Especially because that negates having 2 > browsers open with the same app. That would personally drive me crazy. > > John -- Barney Boisvert [EMAIL PROTECTED] 360.319.6145 http://www.barneyb.com/blog/ I currently have 4 GMail invites for the taking [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
RE: How to prevent multiple logins
But what if the login information is lost accidentally? I agree that the app may dictate anything, but it seems the helpdesk overhead with handling issues of "I got logged out for no reason" would outweigh the need for one login per user. Especially because that negates having 2 browsers open with the same app. That would personally drive me crazy. John -Original Message- From: Matt Robertson [mailto:[EMAIL PROTECTED] Sent: Friday, October 15, 2004 12:50 PM To: CF-Talk Subject: Re: How to prevent multiple logins John wrote: > But if you force off the first login, that may not be the same user, > but it may be a different user using the same login. You can't force > someone off while they're in the app. Oh yes you can, and depending on your business rules maybe you should. If only one user is supposed to use that login at any one time for terms-of-service reasons (i.e. a paid unique subscriber) then the bumped user gets what they deserve, or at least they get diminished utility from their stolen/misused login. If its an innocent thing they know they aren't supposed to be doing its a lesson learned and a discouragement of the forbidden behavior. If its a business user who is also beholden to company policy that says one login per person, then you are protecting that single user's ability to keep using the system. If a co-worker comes to their desk after they have forgotten to log out then this is a back-handed way of helping to protect the user from their own poor practices. Hopefully if going this route you are also logging the duplicate login attempts for managerial review. If its a mission-critical app of some sort that dictates a user must complete their session no matter what then I would argue you shouldn't be enforcing unique logins in the first place as the real world will get in the way without some controls, as was mentioned earlier in the thread. For that you need a system that can expressly allow unique logins, perhaps again with managerial log review so your admins are at least aware of the occurrences. -- --Matt Robertson-- President, Janitor MSB Designs, Inc. mysecretbase.com [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: How to prevent multiple logins
I wrote: >...For that you need a system that can expressly allow unique >logins... Oops. I meant 'duplicate logins' --Matt-- [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: How to prevent multiple logins
John wrote: > But if you force off the first login, that may not be the same user, but > it may be a different user using the same login. You can't force > someone off while they're in the app. Oh yes you can, and depending on your business rules maybe you should. If only one user is supposed to use that login at any one time for terms-of-service reasons (i.e. a paid unique subscriber) then the bumped user gets what they deserve, or at least they get diminished utility from their stolen/misused login. If its an innocent thing they know they aren't supposed to be doing its a lesson learned and a discouragement of the forbidden behavior. If its a business user who is also beholden to company policy that says one login per person, then you are protecting that single user's ability to keep using the system. If a co-worker comes to their desk after they have forgotten to log out then this is a back-handed way of helping to protect the user from their own poor practices. Hopefully if going this route you are also logging the duplicate login attempts for managerial review. If its a mission-critical app of some sort that dictates a user must complete their session no matter what then I would argue you shouldn't be enforcing unique logins in the first place as the real world will get in the way without some controls, as was mentioned earlier in the thread. For that you need a system that can expressly allow unique logins, perhaps again with managerial log review so your admins are at least aware of the occurrences. -- --Matt Robertson-- President, Janitor MSB Designs, Inc. mysecretbase.com [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: How to prevent multiple logins
I agree with fuzzylizard. You have to make processing decisions and have mgmt okay it. Let everyone know what may/could/would happen if they login concurrently. Once users know this, it would meet everyone's expectations. This pretty much boils down to communication (a lost skill =) LOL. [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: How to prevent multiple logins
At 11:51 AM 10/15/2004, Chris Johnston wrote: >There is no method, that I know of, that is >going to work in such a way that it never inconviencences the user >while at the sametime providing top notch security and preventing >concurrent logins. It is an either-or situation. Yes. It's not a technical problem. It's a procedural problem. After choosing the procedure, the rest is easy. Anders +===+ |Anders Green Email: [EMAIL PROTECTED] | | Home: 919.303.0218 | |Off Road Rally Racing Team: http://linaracing.com/ | +===+ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: How to prevent multiple logins
On Fri, 15 Oct 2004 11:37:54 -0400, Burns, John D <[EMAIL PROTECTED]> wrote: > What about people whose connection changes Ips? The new NMCI setup for > military bases gives users a pool of Ips that change regularly. Our > company has 2 external Ips that change as needed, so the guaranteed IP > connection isn't always true. > I think the main point of this discussion is that however you decide to implement this type of functionality you are going to have to make compromises somewhere. There is no method, that I know of, that is going to work in such a way that it never inconviencences the user while at the sametime providing top notch security and preventing concurrent logins. It is an either-or situation. >From my experience, if you restrict concurrent logins you are going to cause problems for your users. The question that needs to be answered is what those problems are and what forms of problems you are willing to deal with. -- chris johnston www.fuzzylizard.com "For millions of years, mankind lived just like the animals and something happened which unleashed the power of our imagination, we learned to talk." Pink Floyd [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
RE: How to prevent multiple logins
What about people whose connection changes Ips? The new NMCI setup for military bases gives users a pool of Ips that change regularly. Our company has 2 external Ips that change as needed, so the guaranteed IP connection isn't always true. John -Original Message- From: Umer Farooq [mailto:[EMAIL PROTECTED] Sent: Friday, October 15, 2004 11:33 AM To: CF-Talk Subject: Re: How to prevent multiple logins At login store the users IP . ... and keep checking the IP against the one stored... on each request.. if it changes... log the current user... out and say.. someone else from another IP has logged in... Burns, John D wrote: > I think the biggest decision that the person who asked will have to make > is the business logic for when a session that is currently logged in is > no longer logged in. For instance: > > If User A logs in at 10AM and is given a 60 minute session and is > somehow flagged as logged in (either in DB or app structure). The user > does 1 quick thing on the site and then closes the browser at 10:05AM. > This user gets up and moves to another computer and attempts to log into > the site. He won't be allowed until 11AM if you do it this way. Since > there's no real-time checking if the client is still there (unless you > use flash remoting or a "ping" type iframe - which I would say is > overkill) then you can't really handle this type of situation without > sacrificing, that once someone logs in, no one can log in with that > account until the session expires (even the person who started the > session...unless they're on the same machine and have a cookie or > something). > > John > > -Original Message- > From: Matt Robertson [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 14, 2004 4:15 PM > To: CF-Talk > Subject: Re: How to prevent multiple logins > > Barney Boisvert wrote: > > Add a two fields to your user table: isLoggedIn and lastAccessDate. > > Or do it in an application structure and save yourself the db overhead. > I use/maintain a 2d array to show a bunch of stuff as part of a Who's On > app. When a user logs in their user ID is planted in their who's on > 'record', (which defaults to zero if they are not logged in and just a > visitor). > > Then when anyone tries to log in the array is checked to see if they are > already logged in. Steps are taken from there. Those steps can vary > depending on your application (i.e. force the first user off the system, > deny the second user the login, kick them both off, alert the sysadmin > etc.) > > You can find the Who's On code in the link below. Just add a few array > elements to the code in the article to do what you need. > > http://mysecretbase.com/How_To_Build_A_Who_Is_On_Application_With_ColdFu > sion.cfm > > And when you're done you also get a Who's On app as a byproduct. Just > build something to loop over the array and display its contents. > > > I'm bringing out AccessMonger Pro in a couple of days and it does all > this stuff and gee whiz a whole lot more. > > > -- > --Matt Robertson-- > President, Janitor > MSB Designs, Inc. > mysecretbase.com > [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: How to prevent multiple logins
It doesn't, apart from via inference as the users realise that if they share their user account they are likely to be forced off the system with no notice. On Fri, 15 Oct 2004 11:11:42 -0400, Scott Stroz <[EMAIL PROTECTED]> wrote: > But how will that stop someone else from trying to login as one of > your users while they are logged in? -- Neil [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: How to prevent multiple logins
At login store the users IP . ... and keep checking the IP against the one stored... on each request.. if it changes... log the current user... out and say.. someone else from another IP has logged in... Burns, John D wrote: > I think the biggest decision that the person who asked will have to make > is the business logic for when a session that is currently logged in is > no longer logged in. For instance: > > If User A logs in at 10AM and is given a 60 minute session and is > somehow flagged as logged in (either in DB or app structure). The user > does 1 quick thing on the site and then closes the browser at 10:05AM. > This user gets up and moves to another computer and attempts to log into > the site. He won't be allowed until 11AM if you do it this way. Since > there's no real-time checking if the client is still there (unless you > use flash remoting or a "ping" type iframe - which I would say is > overkill) then you can't really handle this type of situation without > sacrificing, that once someone logs in, no one can log in with that > account until the session expires (even the person who started the > session...unless they're on the same machine and have a cookie or > something). > > John > > -Original Message- > From: Matt Robertson [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 14, 2004 4:15 PM > To: CF-Talk > Subject: Re: How to prevent multiple logins > > Barney Boisvert wrote: > > Add a two fields to your user table: isLoggedIn and lastAccessDate. > > Or do it in an application structure and save yourself the db overhead. > I use/maintain a 2d array to show a bunch of stuff as part of a Who's On > app. When a user logs in their user ID is planted in their who's on > 'record', (which defaults to zero if they are not logged in and just a > visitor). > > Then when anyone tries to log in the array is checked to see if they are > already logged in. Steps are taken from there. Those steps can vary > depending on your application (i.e. force the first user off the system, > deny the second user the login, kick them both off, alert the sysadmin > etc.) > > You can find the Who's On code in the link below. Just add a few array > elements to the code in the article to do what you need. > > http://mysecretbase.com/How_To_Build_A_Who_Is_On_Application_With_ColdFu > sion.cfm > > And when you're done you also get a Who's On app as a byproduct. Just > build something to loop over the array and display its contents. > > > I'm bringing out AccessMonger Pro in a couple of days and it does all > this stuff and gee whiz a whole lot more. > > > -- > --Matt Robertson-- > President, Janitor > MSB Designs, Inc. > mysecretbase.com > [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: How to prevent multiple logins
But how will that stop someone else from trying to login as one of your users while they are logged in? On Fri, 15 Oct 2004 16:03:15 +0100, Neil Middleton <[EMAIL PROTECTED]> wrote: > We do this in one of our applications. If a user logs in and that user > is currently logged in they (the original login) gets kicked. > > Works well, as it reminds our users a 1 person - 1 login, and not for > sharing, > > On Fri, 15 Oct 2004 10:45:34 -0400, Burns, John D > > > <[EMAIL PROTECTED]> wrote: > > But if you force off the first login, that may not be the same user, but > > it may be a different user using the same login. You can't force > > someone off while they're in the app. > > > > > > > > John > > > > -Original Message- > > From: Matt Robertson [mailto:[EMAIL PROTECTED] > > Sent: Thursday, October 14, 2004 4:42 PM > > To: CF-Talk > > Subject: Re: How to prevent multiple logins > > > > > I think the biggest decision that the person who asked will have to > > > make is the business logic for when a session that is currently logged > > > > > in is no longer logged in. > > > > The only way that I have seen to do handle the scenario you are > > describing is to force off the first login in favor of the second. > > Solves the problem completely, but adds quite a bit to the complexity of > > your login/who's on tracking. > > > > -- > > --Matt Robertson-- > > President, Janitor > > MSB Designs, Inc. > > mysecretbase.com > > > [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: How to prevent multiple logins
We do this in one of our applications. If a user logs in and that user is currently logged in they (the original login) gets kicked. Works well, as it reminds our users a 1 person - 1 login, and not for sharing, On Fri, 15 Oct 2004 10:45:34 -0400, Burns, John D <[EMAIL PROTECTED]> wrote: > But if you force off the first login, that may not be the same user, but > it may be a different user using the same login. You can't force > someone off while they're in the app. > > > > John > > -Original Message- > From: Matt Robertson [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 14, 2004 4:42 PM > To: CF-Talk > Subject: Re: How to prevent multiple logins > > > I think the biggest decision that the person who asked will have to > > make is the business logic for when a session that is currently logged > > > in is no longer logged in. > > The only way that I have seen to do handle the scenario you are > describing is to force off the first login in favor of the second. > Solves the problem completely, but adds quite a bit to the complexity of > your login/who's on tracking. > > -- > --Matt Robertson-- > President, Janitor > MSB Designs, Inc. > mysecretbase.com > [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
RE: How to prevent multiple logins
But if you force off the first login, that may not be the same user, but it may be a different user using the same login. You can't force someone off while they're in the app. John -Original Message- From: Matt Robertson [mailto:[EMAIL PROTECTED] Sent: Thursday, October 14, 2004 4:42 PM To: CF-Talk Subject: Re: How to prevent multiple logins > I think the biggest decision that the person who asked will have to > make is the business logic for when a session that is currently logged > in is no longer logged in. The only way that I have seen to do handle the scenario you are describing is to force off the first login in favor of the second. Solves the problem completely, but adds quite a bit to the complexity of your login/who's on tracking. -- --Matt Robertson-- President, Janitor MSB Designs, Inc. mysecretbase.com [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: How to prevent multiple logins
No it doesn't, because there's no guarentee that the second logon request will come from the same computer/browser, and therefore use the same sticky. If I log in from work and my wife tries to log in from home under my account, chances are 1 in N that we'll hit the same server, where N is the size of the cluster. Not very good odds. cheers, barneyb On Thu, 14 Oct 2004 17:15:28 -0400, Micha Schopman <[EMAIL PROTECTED]> wrote: > >The app structure won't work across a cluster. > > With sticky sessions it does :) > > -- Barney Boisvert [EMAIL PROTECTED] 360.319.6145 http://www.barneyb.com I currently have 4 GMail invites for the taking [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: How to prevent multiple logins
>The app structure won't work across a cluster. With sticky sessions it does :) [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: How to prevent multiple logins
> I think the biggest decision that the person who asked will have to make > is the business logic for when a session that is currently logged in is > no longer logged in. The only way that I have seen to do handle the scenario you are describing is to force off the first login in favor of the second. Solves the problem completely, but adds quite a bit to the complexity of your login/who's on tracking. -- --Matt Robertson-- President, Janitor MSB Designs, Inc. mysecretbase.com [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: How to prevent multiple logins
On Thu, 14 Oct 2004 16:21:45 -0400, Burns, John D <[EMAIL PROTECTED]> wrote: > I think the biggest decision that the person who asked will have to make > is the business logic for when a session that is currently logged in is > no longer logged in. For instance: > > If User A logs in at 10AM and is given a 60 minute session and is > somehow flagged as logged in (either in DB or app structure). The user > does 1 quick thing on the site and then closes the browser at 10:05AM. > This user gets up and moves to another computer and attempts to log into > the site. He won't be allowed until 11AM if you do it this way. Since > there's no real-time checking if the client is still there (unless you > use flash remoting or a "ping" type iframe - which I would say is > overkill) then you can't really handle this type of situation without > sacrificing, that once someone logs in, no one can log in with that > account until the session expires (even the person who started the > session...unless they're on the same machine and have a cookie or > something). > One place that I worked, restricting concurrent logins had to abandonded due to this very problem. It was especially hard to do develop while at the same time restricting concurrent logins. The API that they had built for security had a switch in it that allowed a developer to turn on or off concurrent logins depending on a value in the web descriptor file (J2EE). However, even with this, we had to turn the feature off for production web apps. Too many times, users would login to the apps for a few minutes, check something and forget to logoff. Then they could never figure out why they could not log back in a few minutes later. We could never convince users that they had to logout every single time. They would just close the browser instead of logging out. -- chris johnston www.fuzzylizard.com "For millions of years, mankind lived just like the animals and something happened which unleashed the power of our imagination, we learned to talk." Pink Floyd [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
RE: How to prevent multiple logins
I think the biggest decision that the person who asked will have to make is the business logic for when a session that is currently logged in is no longer logged in. For instance: If User A logs in at 10AM and is given a 60 minute session and is somehow flagged as logged in (either in DB or app structure). The user does 1 quick thing on the site and then closes the browser at 10:05AM. This user gets up and moves to another computer and attempts to log into the site. He won't be allowed until 11AM if you do it this way. Since there's no real-time checking if the client is still there (unless you use flash remoting or a "ping" type iframe - which I would say is overkill) then you can't really handle this type of situation without sacrificing, that once someone logs in, no one can log in with that account until the session expires (even the person who started the session...unless they're on the same machine and have a cookie or something). John -Original Message- From: Matt Robertson [mailto:[EMAIL PROTECTED] Sent: Thursday, October 14, 2004 4:15 PM To: CF-Talk Subject: Re: How to prevent multiple logins Barney Boisvert wrote: > Add a two fields to your user table: isLoggedIn and lastAccessDate. Or do it in an application structure and save yourself the db overhead. I use/maintain a 2d array to show a bunch of stuff as part of a Who's On app. When a user logs in their user ID is planted in their who's on 'record', (which defaults to zero if they are not logged in and just a visitor). Then when anyone tries to log in the array is checked to see if they are already logged in. Steps are taken from there. Those steps can vary depending on your application (i.e. force the first user off the system, deny the second user the login, kick them both off, alert the sysadmin etc.) You can find the Who's On code in the link below. Just add a few array elements to the code in the article to do what you need. http://mysecretbase.com/How_To_Build_A_Who_Is_On_Application_With_ColdFu sion.cfm And when you're done you also get a Who's On app as a byproduct. Just build something to loop over the array and display its contents. I'm bringing out AccessMonger Pro in a couple of days and it does all this stuff and gee whiz a whole lot more. -- --Matt Robertson-- President, Janitor MSB Designs, Inc. mysecretbase.com [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: How to prevent multiple logins
The app structure won't work across a cluster. cheers, barneyb On Thu, 14 Oct 2004 13:15:06 -0700, Matt Robertson <[EMAIL PROTECTED]> wrote: > Barney Boisvert wrote: > > Add a two fields to your user table: isLoggedIn and lastAccessDate. > > Or do it in an application structure and save yourself the db > overhead. I use/maintain a 2d array to show a bunch of stuff as part > of a Who's On app. When a user logs in their user ID is planted in > their who's on 'record', (which defaults to zero if they are not > logged in and just a visitor). > > Then when anyone tries to log in the array is checked to see if they > are already logged in. Steps are taken from there. Those steps can > vary depending on your application (i.e. force the first user off the > system, deny the second user the login, kick them both off, alert the > sysadmin etc.) > > You can find the Who's On code in the link below. Just add a few > array elements to the code in the article to do what you need. > > http://mysecretbase.com/How_To_Build_A_Who_Is_On_Application_With_ColdFusion.cfm > > And when you're done you also get a Who's On app as a byproduct. Just > build something to loop over the array and display its contents. > > > I'm bringing out AccessMonger Pro in a couple of days and it does all > this stuff and gee whiz a whole lot more. > > > -- > --Matt Robertson-- -- Barney Boisvert [EMAIL PROTECTED] 360.319.6145 http://www.barneyb.com I currently have 4 GMail invites for the taking [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: How to prevent multiple logins
Barney Boisvert wrote: > Add a two fields to your user table: isLoggedIn and lastAccessDate. Or do it in an application structure and save yourself the db overhead. I use/maintain a 2d array to show a bunch of stuff as part of a Who's On app. When a user logs in their user ID is planted in their who's on 'record', (which defaults to zero if they are not logged in and just a visitor). Then when anyone tries to log in the array is checked to see if they are already logged in. Steps are taken from there. Those steps can vary depending on your application (i.e. force the first user off the system, deny the second user the login, kick them both off, alert the sysadmin etc.) You can find the Who's On code in the link below. Just add a few array elements to the code in the article to do what you need. http://mysecretbase.com/How_To_Build_A_Who_Is_On_Application_With_ColdFusion.cfm And when you're done you also get a Who's On app as a byproduct. Just build something to loop over the array and display its contents. I'm bringing out AccessMonger Pro in a couple of days and it does all this stuff and gee whiz a whole lot more. -- --Matt Robertson-- President, Janitor MSB Designs, Inc. mysecretbase.com [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: How to prevent multiple logins
On Thu, 14 Oct 2004 12:32:09 -0700, Tim Do <[EMAIL PROTECTED]> wrote: > How would I go about preventing multiple logins w/ the same username and > password? I'm currently using client variables for this. I tried checking > the data field in CDATA but not having any luck. If a user does not log out > and just closes the window or the session is timed out, there is still a > record in CFDATA w/ the user's username. How do other sites prevent this?? > The easiest way of doing this is to create a column in the database that gets checked when the user logins. If the column is something other than NULL, then the user is logged in and the subsequent login is rejected. This is the most reliable method that I know of. The problem with this is when and how to clear the column. I am not sure if there is a way to create code in CF that would trigger removing the value from the column when the session ended, but it might be one way of handling this. -- chris johnston www.fuzzylizard.com "For millions of years, mankind lived just like the animals and something happened which unleashed the power of our imagination, we learned to talk." Pink Floyd [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: How to prevent multiple logins
Add a two fields to your user table: isLoggedIn and lastAccessDate. Set the former to true when the user logs in, and update the latter every request. When you get a login request for the user, only allow it if isLoggedIn is false OR lastAccessDate is more than your session timeout in the past (meaning the session is timed out, and theyre' not logged in any more). cheers, barneyb On Thu, 14 Oct 2004 12:32:09 -0700, Tim Do <[EMAIL PROTECTED]> wrote: > How would I go about preventing multiple logins w/ the same username and > password? I'm currently using client variables for this. I tried checking > the data field in CDATA but not having any luck. If a user does not log out > and just closes the window or the session is timed out, there is still a > record in CFDATA w/ the user's username. How do other sites prevent this?? > > Thanks > > [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
How to prevent multiple logins
How would I go about preventing multiple logins w/ the same username and password? I'm currently using client variables for this. I tried checking the data field in CDATA but not having any luck. If a user does not log out and just closes the window or the session is timed out, there is still a record in CFDATA w/ the user's username. How do other sites prevent this?? Thanks [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: How to prevent multiple logins?
I've done this before. I added a column to the database called "lock" that was a true/false, plus I had a timestamp field. Once a user logged in, I set the value to true. Logging in checked for this value, and if set, wouldn't allow the user to login. I did an update on the table in the onrequestend.cfm file that would update the timestamp. Checking the timestamp to see if the session had expired was an easy way of logging an inactive user out. Pete - Original Message - From: "Thanh Nguyen" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Monday, September 30, 2002 1:55 PM Subject: How to prevent multiple logins? > How do I prevent multiple users loggin in a a same time using the same > account? > > I'm using session variables to track auth users. > > Thanks. > > Thanh > > > > __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
How to prevent multiple logins?
How do I prevent multiple users loggin in a a same time using the same account? I'm using session variables to track auth users. Thanks. Thanh __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists