security - Concurrent login -

security - Concurrent login -

anyone here tried implement way in coldfusion not allow same login business relationship used concurrently, if 1 login , other login either disabled or kick out first one.

please share experience.

two methods, first lighter on performance other. deny user tries login after first. add loggedin field users table. simple 0/1. when user logs in, run query this

loginquery:

<cfquery name="validate"> select userid,loggedin,data,you,want users username=<cfqueryparam cfsqltype="cf_sql_varchar" value="#form.username#"> <!--- hope you're hashing/encrypting passwords, simple demo ---> , password=<cfqueryparam cfsqltype="cf_sql_varchar" value="#form.password#"> </cfquery> <cfif validate.recordcount eq 1> <cfif validate.loggedin eq 0> <cfset session.userid = validate.userid ...collect whatever info table <cfquery name="validate"> update users set loggedin=1 userid=<cfqueryparam cfsqltype="cf_sql_integer" value="#validate.userid#"> </cfquery> <cfelse> else logged in. </cfif> <cfelse> invalid credentials. </cfif>

when user logs out, set loggedin flag in table 0

<cfquery name="validate"> update users set loggedin=0 userid=<cfqueryparam cfsqltype="cf_sql_integer" value="#session.userid#"> </cfquery>

now, because lot of users navigate away site, or walk away computer, can utilize application.cfc's onsessionend method, executes when session ends same query logout 1 change. session scope not available method, instead need utilize sessionscope argument of method.

therein lies 1 flaw method. if user walks away machine/navigates away page, noone can login til first user's session expires. if session timeout set 20 minutes, , walk away machine, noone can login business relationship 20 minutes. it's reason you'd want short-ish session timeout (but nil obnoxiously short penalize user taking long finish form).

<cffunction name="onsessionend"> <cfargument name = "sessionscope" required=true/> <cfargument name = "appscope" required=true/> <cfquery name="validate"> update users set loggedin=0 userid=<cfqueryparam cfsqltype="cf_sql_integer" value="#sessionscope.userid#"> </cfquery> </cffunction> kick first out after sec logs in

the problem route needs run query on every page (or @ least, every member-specific page. conceivably have 10 users on front end page of site under same username, cares. any, aside logged in, seek access fellow member page, kicked out. of course, effort log in, becoming most-recent, , kicking anyone else out. that's downside practice.

add loginkey field users table.

when user logs in, populate field value unique user, can like.

#randrange(1,10000000)#

store key in users.loginkey , session.loginkey.

match on each page, or @ to the lowest degree each members page. if first-login browsing front end pages, allow slide, save on performance.

<cfquery name="validate"> select userid users loginkey=<cfqueryparam cfsqltype="cf_sql_integer" value="#session.loginkey#"> <!--- since you're doing this, might validate credentials ---> , password=<cfqueryparam cfsqltype="cf_sql_varchar" value="#session.password#"> , username=<cfqueryparam cfsqltype="cf_sql_varchar" value="#session.username#"> </cfquery>

you can move loginkey section of where statement if statement (like demonstrated in first method) , explain user why kicked out. or can query side.

(you can utilize session.cfid , cftoken unique identifier, valid, wanted show , how you'd need store info if creating separate key. utilize cfid/cftoken because... why add together more performance overhead)

security coldfusion