Security Vulnerability Issue

Question

Client wants to add functionality that allow one user to sign in only one place at a time. For example If I am login as maria.nausal@gmail.com then software do not allow me to login by using same email account in same system with different browser or different system.

I was handling this functioanlity by updating status of user but it does not work when user close browser button without logout.

Then I used onbeforeunload event for handling this type of issue. Everything is working fine in desktops but this event does not work in mobile device. By using Onbeforeunload,

If you have other solution that works in all environments please suggest me. Solution should be with session because onbeforeunload is also creating issue.

Thankyou

you may refer this answer http://stackoverflow.com/questions/3164507/allow-one-session-only-at-a-time — user1844933, Aug 13 '15 at 13:32

score 0 · Answer 1 · answered Aug 13 '15 at 13:28

Your second approach also would not work with failing network connections or power cutoffs or a user simply closing his laptop lid. The whole approach is flaky, since it collides with the underlying web technology which is stateless. There is no way to clearly determine if a session is still used, since there is permanent connection but only single requests.

The closest you could get would be to timeout a session after a period of inactivity. To not ruin the user experience you should then take care to seamlessly reconstruct/reactivate the session in background without any user interaction required.

score 0 · Answer 2 · answered Aug 13 '15 at 13:28

I don't think there is a foolproof way to do what you're trying to do. What other sites do (e.g. banking websites) is that they keep track of the time of your last activity. Then a certain amount of time after that last activity, they log you out automatically on the server side.

score 0 · Answer 3 · answered Aug 13 '15 at 13:39

Add a field in the database, something to uniquely identify the browser, computer etc. (e.g. IP address) and record it when a user logs in. Then check that it is the same each time a user navigates to a new page. Thus, if a user logs in to computer A, and then logs in to computer B, the next time they navigate to a new page on computer A it sees that computer B is the last to log in and logs out computer A.

Security Vulnerability Issue

3 Answers3