Restricting Multiple Logins

Can anyone provide me with a good article, screencast, or source on how to restrict multiple logins with rails? I'm using Restful Authentication with Acts As State Machine and have my login system configured with observers, activation keys, etc.

I'm just trying to move forward a bit and restrict multiple logins.

Thanks..

Alpha Blue wrote:

Can anyone provide me with a good article, screencast, or source on how to restrict multiple logins with rails?

[...]

By "multiple logins", you mean the same user logged in multiple times simultaneously, right? If so, then I suspect that this will be frustrating to implement and frustrating for the users to deal with. Why bother?

Best,

Hi Alpha, I am just sharing some thoughts i am not sure how much it will help you.

1. are you using database session for log in purpose in that case you can check from database whether this guy is already log in or not an restrict the person if someone is already logged in or expire the session of previous logged in user.

2. second you can track the IP address.. for one user you can allow only one IP address from which IP address he has sing up to your application. But personally i don't like this because one i will not be logged in in you system for logged in from any other pc

if you got any better solution then please let us know

Alpha Blue wrote:

Hi Marnen,

Well I run a subscription service on my site that after week 4 will be activated. I just want to make sure that someone doesn't give their logins to 30 of their friends so that they can use the subscription for free and all 30 people logged in simultaneously under the same account name.

If you have features that make it advantageous to have a user account, people are going to want their own accounts. I believe this is a case where the appropriate solution is not a technological one.

So, I'm looking for a good source to follow and I'm trying to implement a restriction of say 3 simultaneous logins per account.

Don't bother unless you somehow tie it to IP address. And even then, I think it will frustrate the user and drive him away from your site.

Best,

How would these be frustrating for users?

There are a couple ways I can think to implement this. First, as was mentioned, restrict login to only the first (or first 3, whatever) successful logins. You'd store the successful login IPs in another table, and just have login fail when there's three or whatever IPs for a given user. Delete the corresponding row when a user logs out. One problem with this, though, is that it does absolutely nothing to prevent multiple users sharing an IP (such as being a VPN or proxy) to login once one is successful. I also suppose it might be helpful to automatically "expire" inactive IPs after a certain amount of time, but I'm not sure that actually addresses the issue at hand.

Actually the other ways I thought of are pretty horrible, and even the above both doesn't address the problem your facing *and* makes it harder for the user to make full use of there account. So yeah, forgo trying to enforce this via technology. If you do need to though, you can at least track the login habits of users, and maybe warn those who are massively abusing their privileges.

Alpha Blue wrote:

Can anyone provide me with a good article, screencast, or source on how to restrict multiple logins with rails? I'm using Restful Authentication with Acts As State Machine and have my login system configured with observers, activation keys, etc.

I'm just trying to move forward a bit and restrict multiple logins.

Thanks..

Store the session cookie into the users table when a user logs in. Set a before filter that checks the session key before serving any request. If it's different from the one in the users table, redirect the user to the login page.

When a user logs in with an account another user logged in with the same account will be required to log in. If two users keep trying to access the service with the same account they'll end up logging out each other. However if a legitimate user tries to access your service with two browsers at the same time, s/he'll may end up a little upset.

Paolo

Paolo Montrasio wrote: [...]

However if a legitimate user tries to access your service with two browsers at the same time, s/he'll may end up a little upset.

Yes, this is one of the frustrating scenarios I was thinking of -- and of course there are plenty of legitimate reasons to do so.

There's a piece of job portal software that does this (I don't know what it's called, but Skidmore College and Rensselaer Polytechnic Institute both use it for their job listings). If you open two browser windows, it says that's not supported. If you use the Back button, it figures out where it last saw you and zaps you right back to that spot. It drives me nuts -- and that's what I was trying to warn the OP off, among other things.

Best,

My solution will be a careful one. I will log IP address, Time logged in, and account name. If I see more than 5 unique IP addresses using the same account within x time period, I'll mark the user as suspect and possibly send them a warning, if it worsens.

I think this is a safer way to go and this way my users are not burdened by unscrupulous activities of other users...

Marnen Laibow-Koser wrote:

Paolo Montrasio wrote: [...]

However if a legitimate user tries to access your service with two browsers at the same time, s/he'll may end up a little upset.

Yes, this is one of the frustrating scenarios I was thinking of -- and of course there are plenty of legitimate reasons to do so.

All I have to contribute is this: Once I found out that a service that might interest me was going through this much trouble to prevent users from "sharing" an account would definitely make me lose interest immediately. Not that I would want to share the account, but I would decline on principal. If you don't trust me then I don't want anything to do with your service. Just create a clear terms of service agreement, which allows me to decide wether to sign up or not. That's how the big guys do it, and it tends to work out pretty well.

I also agree that if the site has compelling reasons to sign up, then I'd want to have my own account anyway.

Just some food for thought.