I’m trying to forbid multiple logins by the same user at the same time to my CakePHP (1.2) driven site. However, that’s not as easy as I thought since I have no idea how to get the information if a user is already logged in or not.
I’m using Cake’s Auth-component to authenticate users. The sessions are handled by the php installation and php stores the session data in files. So I guess it is not possible to access the session data from a controller (for, of course, these files aren’t saved in the webroot). I thought about checking if a user is logged in or not by using a special database field but there is no way to find out if a user is logged out or not if he doesn’t use the logout-method but simply closes his browser and so ends the session.
Can anyone think of another way to manage that? I don’t need to know all data about every logged in user. The only thing I need to know is if the given username is logged in at the moment.
Thanks in advance.
I think CakePHP will have this behaviour automatically if you set
Security.leveltohighin your core config file, as it regenerates the session ID each time.Alternatively, the logic behind it is that you could save a hash of the users IP/User Agent in the user table when they login, and if a computer with a different hash to the one you have saved tries to do something, logout the user. This way only the latest user will work.