Restricting Multiple Logins

Can anyone provide me with a good article, screencast, or source on how
to restrict multiple logins with rails? I'm using Restful
Authentication with Acts As State Machine and have my login system
configured with observers, activation keys, etc.

I'm just trying to move forward a bit and restrict multiple logins.

Thanks..

Alpha Blue wrote:

Can anyone provide me with a good article, screencast, or source on how
to restrict multiple logins with rails?

[...]

By "multiple logins", you mean the same user logged in multiple times
simultaneously, right? If so, then I suspect that this will be
frustrating to implement and frustrating for the users to deal with.
Why bother?

Best,

Hi Alpha,
I am just sharing some thoughts i am not sure how much it will help
you.

1. are you using database session for log in purpose in that case you
can check from database whether this guy is already log in or not an
restrict the person if someone is already logged in or expire the
session of previous logged in user.

2. second you can track the IP address.. for one user you can allow
only one IP address from which IP address he has sing up to your
application. But personally i don't like this because one i will not
be logged in in you system for logged in from any other pc

if you got any better solution then please let us know

Alpha Blue wrote:

Hi Marnen,

Well I run a subscription service on my site that after week 4 will be
activated. I just want to make sure that someone doesn't give their
logins to 30 of their friends so that they can use the subscription for
free and all 30 people logged in simultaneously under the same account
name.

If you have features that make it advantageous to have a user account,
people are going to want their own accounts. I believe this is a case
where the appropriate solution is not a technological one.

So, I'm looking for a good source to follow and I'm trying to implement
a restriction of say 3 simultaneous logins per account.

Don't bother unless you somehow tie it to IP address. And even then, I
think it will frustrate the user and drive him away from your site.

Best,

How would these be frustrating for users?

There are a couple ways I can think to implement this. First, as was
mentioned, restrict login to only the first (or first 3, whatever)
successful logins. You'd store the successful login IPs in another
table, and just have login fail when there's three or whatever IPs for
a given user. Delete the corresponding row when a user logs out. One
problem with this, though, is that it does absolutely nothing to
prevent multiple users sharing an IP (such as being a VPN or proxy) to
login once one is successful. I also suppose it might be helpful to
automatically "expire" inactive IPs after a certain amount of time,
but I'm not sure that actually addresses the issue at hand.

Actually the other ways I thought of are pretty horrible, and even the
above both doesn't address the problem your facing *and* makes it
harder for the user to make full use of there account. So yeah, forgo
trying to enforce this via technology. If you do need to though, you
can at least track the login habits of users, and maybe warn those who
are massively abusing their privileges.

Alpha Blue wrote:

Can anyone provide me with a good article, screencast, or source on how
to restrict multiple logins with rails? I'm using Restful
Authentication with Acts As State Machine and have my login system
configured with observers, activation keys, etc.

I'm just trying to move forward a bit and restrict multiple logins.

Thanks..

Store the session cookie into the users table when a user logs in.
Set a before filter that checks the session key before serving any
request. If it's different from the one in the users table, redirect the
user to the login page.

When a user logs in with an account another user logged in with the same
account will be required to log in. If two users keep trying to access
the service with the same account they'll end up logging out each other.
However if a legitimate user tries to access your service with two
browsers at the same time, s/he'll may end up a little upset.

Paolo

Paolo Montrasio wrote:
[...]

However if a legitimate user tries to access your service with two
browsers at the same time, s/he'll may end up a little upset.

Yes, this is one of the frustrating scenarios I was thinking of -- and
of course there are plenty of legitimate reasons to do so.

There's a piece of job portal software that does this (I don't know what
it's called, but Skidmore College and Rensselaer Polytechnic Institute
both use it for their job listings). If you open two browser windows,
it says that's not supported. If you use the Back button, it figures
out where it last saw you and zaps you right back to that spot. It
drives me nuts -- and that's what I was trying to warn the OP off, among
other things.

Best,

My solution will be a careful one. I will log IP address, Time logged
in, and account name. If I see more than 5 unique IP addresses using
the same account within x time period, I'll mark the user as suspect and
possibly send them a warning, if it worsens.

I think this is a safer way to go and this way my users are not burdened
by unscrupulous activities of other users...

Marnen Laibow-Koser wrote:

Paolo Montrasio wrote:
[...]

However if a legitimate user tries to access your service with two
browsers at the same time, s/he'll may end up a little upset.

Yes, this is one of the frustrating scenarios I was thinking of -- and
of course there are plenty of legitimate reasons to do so.

All I have to contribute is this: Once I found out that a service that
might interest me was going through this much trouble to prevent users
from "sharing" an account would definitely make me lose interest
immediately. Not that I would want to share the account, but I would
decline on principal. If you don't trust me then I don't want anything
to do with your service. Just create a clear terms of service agreement,
which allows me to decide wether to sign up or not. That's how the big
guys do it, and it tends to work out pretty well.

I also agree that if the site has compelling reasons to sign up, then
I'd want to have my own account anyway.

Just some food for thought.