I have a login script which works but, I’m wondering how I should handle additional login attempts when the user has already logged in. The login page redirects to the home page if it finds that the user has already logged in.
However, if user has multiple browser tabs opened at the login page, login with one, then attempt to login again using the other browser tabs either with the same login or another login, how should I handle this two types of request?
To complicate things, I have a verification page which will also log the user in after user has been verified using the token. How should I handle this, if a user has already logged in?
For example, user A and user B both registered and both receives the token via email. They are both on the same PC, same browser, same session. User A verifies the token, then logs in successfully. User B, then verifies the token then logs in…? Wait user A has already logged in! What should I do with user A?
What would be the best practice here?
Surely then the login session would be set and there would be no need to authenticate if it is a valid login again?
There are generally 3 methods to handle additional logins:
Ignore it, allow people to login in different locations at the same time
Kick the first session out when the 2nd session logs in. This often isn’t the best solution, but it solves the problem of people closing their browser (i.e. not logging out properly) and then trying to login again in a new session and being told they can’t.
Given the user an error saying they are logged in elsewhere. If doing this, make sure there is a time limit on an active login so that if someone does forget to logout somewhere, or their browser closes unexpectedly, then they are still able to log back in – they just have to wait a certain period of time.
Personally, I go with the 2nd option unless there are abnormal circumstances.