[ic] Controlling number of active sessions?

Jonathan Clark interchange-users@interchange.redhat.com
Mon May 6 10:51:00 2002


> > > Might there be some way to control the number of
> > active sessions?
> > >
> > > More to the point.  The requirement is to:
> > >
> > > 1. Control the number of users entered in the
> > UserDB (this should be easy)
> >
> > yes, I would do this at the tio of the new_account
> > page:
> >
> > [sql query="SELECT count(username) FROM userdb"
> > list=1]
> > 	[tmp usercount][sql-code][/tmp]
> > [/sql]
> >
> > [if scratch usercount > 10]
> > 	[bounce href=no_more_accounts.html]
> > [/if]
> >
> > > 2. Make sure users can not share sessions.  I
> > guess the idea here would be
> > > if a user logs on expire all other sessions that
> > user is logged on with.
> > > (I know this is restrictive since the user
> > couldn't have more than one
> > > browser session open at once!)
> >
> > I think this can be done by cookies. If you set the
> > expire information on
> > the cookie it will be written to disk on the client
> > and therefore will be
> > passed back by the other browser instances, ensuring
> > a single session. The
> > workaround for the user is to open a different
> > browser for the second
> > session, eg. IE then NS.
> >
> > I think users who don't have cookies enabled should
> > get only one session
> > anyway.
> >
> > Jonathan
> > Webmaint.
>
>
> Jonathan,
> I don't think you understood my question.  I want
> to see if there is a way to stop a user from
> logging in as the same user on two different PC's.
> That way I can count the number of active user
> sessions and disallow anyone to log in if they
> are over a certain number.  In other words, allow
> them to add 100 users, but only allow (say) 10 unique
> sessions active at a time.

Aha.. limiting concurrent logins.

I'm sure there is code in the mailing list archive to display the current
users from the session information. Can't find it at the moment.

>From the IC point of view, a 'session' could be any user, or all the same.
You need to check the active users when someone new tries to log in - if
they are already there then don't let them in again. Problem with this is
what happens (as Rene says) when someone closes the browser and then walks
over to another machine to log in? IC will hold the first session and so
they are still logged in until the session expires. And setting
SessionExpire really short will cause more problems as people get logged out
when they go for a cup of coffee..

The problem here lies in the way web connections work. I'm not sure you can
do what you want reliably with http.

Sorry for not answering your question.

Jonathan
Webmaint.