Hello friends,
I would like to know if there is the possibility of blocking the login in the application if it is already logged in.
Best regards.
Marcelo
Block login if it is already logged in.
- Marcelo Vitoria
- Veteran Member
- Posts: 60
- Joined: 2016-10-11 12:08
Block login if it is already logged in.
Marcelo Vitoria
Coding since 1984 Basic Sinclair!
Clipper Summer´87 - Visual Foxpro - VB6 - PHP
AppGini 24.11 - AdminLTE
https://www.workspaceservices.com.br
Coding since 1984 Basic Sinclair!
Clipper Summer´87 - Visual Foxpro - VB6 - PHP
AppGini 24.11 - AdminLTE
https://www.workspaceservices.com.br
- D Oliveira
- AppGini Super Hero
- Posts: 347
- Joined: 2018-03-04 09:30
- Location: David
Re: Block login if it is already logged in.
... it is already logged in ... what do you mean by "it"? is it a specific user? this is very a vague question please elaborate providing details, examples and ideally some code so we can take a look at.
Re: Block login if it is already logged in.
Presumably the same question as your own back in 2019
viewtopic.php?t=3340
Some helpful tips from Ahmad but no definitive code
viewtopic.php?t=3340
Some helpful tips from Ahmad but no definitive code
Re: Block login if it is already logged in.
There are several problems:
User can open several browser tabs on the same machine and also on other devices.
Additionally there may be impersonated cURL calls or javascript fetches to some AppGini API handler.
HTTP AGENT detection could not distinguish between different tabs in the same browser.
Comparing the IP addresses will not work when using different browsers on the same machine or when using incognito mode in the same browser.
You would need some kind of fingerprint, generated on clientside, stored on serverside, additionally you need some "keep alive" interval for telling the server this connection, identified by fingerprint, is still alive. Then, when logging in into the same site from a different machine or different browser (=different fingerprint), deny access and automatically logout. Or allow access and logout the other connection.
Even fingerprinting can only give a good level of certainty but never 100% accuracy.
This is possible to do but not trivial and requires a lot of Javascript code using AJAX and PHP code to write.
Just my 2 cents.
User can open several browser tabs on the same machine and also on other devices.
Additionally there may be impersonated cURL calls or javascript fetches to some AppGini API handler.
HTTP AGENT detection could not distinguish between different tabs in the same browser.
Comparing the IP addresses will not work when using different browsers on the same machine or when using incognito mode in the same browser.
You would need some kind of fingerprint, generated on clientside, stored on serverside, additionally you need some "keep alive" interval for telling the server this connection, identified by fingerprint, is still alive. Then, when logging in into the same site from a different machine or different browser (=different fingerprint), deny access and automatically logout. Or allow access and logout the other connection.
Even fingerprinting can only give a good level of certainty but never 100% accuracy.
This is possible to do but not trivial and requires a lot of Javascript code using AJAX and PHP code to write.
Just my 2 cents.
Kind regards,
<js />
My AppGini Blog:
https://appgini.bizzworxx.de/blog
You can help us helping you:
Please always put code fragments inside
AppGini 24.10 Revision 1579 + all AppGini Helper tools
<js />
My AppGini Blog:
https://appgini.bizzworxx.de/blog
You can help us helping you:
Please always put code fragments inside
[code]...[/code]
blocks for better readabilityAppGini 24.10 Revision 1579 + all AppGini Helper tools
- D Oliveira
- AppGini Super Hero
- Posts: 347
- Joined: 2018-03-04 09:30
- Location: David
Re: Block login if it is already logged in.
or just whitelist certain inbound ip's in your server if you want employees to log in only at the office physical location (assuming that's your case scenario)
- D Oliveira
- AppGini Super Hero
- Posts: 347
- Joined: 2018-03-04 09:30
- Location: David
Re: Block login if it is already logged in.
you're perfectly accurate in your analysis but I will say tools like chat GPT nowadays give us a great jump start for this kind of thing, just fed this prompt and got the following:
As you mentioned, a more robust solution could involve generating a unique client-side fingerprint that is stored on the server-side along with the user's session. This fingerprint can be generated by combining various browser and device characteristics such as browser type, screen size, installed fonts, etc. There are libraries and tools available that can help generate such a fingerprint, such as fingerprintjs2.
In addition to the fingerprint, a "keep alive" mechanism could be implemented, where the client periodically sends a request to the server to confirm the session is still active. If the server does not receive a keep alive request within a certain time frame, it can assume that the session has ended and log out the user.
Here are some steps you can follow to implement this approach:
Use a library such as fingerprintjs2 to generate a unique client-side fingerprint that is sent to the server during login:
javascript
Code: Select all
new Fingerprint2().get(function(result) {
// result is a unique identifier for the client's browser and device
// send result to the server during login
});
php
Code: Select all
// Store the fingerprint along with the session ID in the database
$sql = "INSERT INTO user_sessions (user_id, session_id, fingerprint, last_activity) VALUES (?, ?, ?, NOW())";
$stmt = $pdo->prepare($sql);
$stmt->execute([$user_id, $session_id, $fingerprint]);
javascript
Code: Select all
setInterval(function() {
// send an AJAX request to the server to confirm the session is still active
}, 60000); // send request every minute
php
Code: Select all
// Retrieve the user's session and fingerprint from the database
$sql = "SELECT * FROM user_sessions WHERE session_id = ?";
$stmt = $pdo->prepare($sql);
$stmt->execute([$session_id]);
$session = $stmt->fetch();
// Check if the fingerprint matches the one stored in the database
if ($session['fingerprint'] !== $fingerprint) {
// Log out the user and display an error message
}
php
Code: Select all
// Delete the session record from the database
$sql = "DELETE FROM user_sessions WHERE session_id = ?";
$stmt = $pdo->prepare($sql);
$stmt->execute([$session_id]);
// Destroy the session
session_destroy();
- Marcelo Vitoria
- Veteran Member
- Posts: 60
- Joined: 2016-10-11 12:08
Re: Block login if it is already logged in.
Hello friends, thank you for your help.
The intention is that if a user logs into the app, another person cannot log into the app using the same username and password, whether they are in the same location/network or not.
I have a client who doesn't care about security, but when others log in with his password that he shared, he thinks everyone wants to steal from him.
Typical of ignorant people, but the only method would be to block shared password access and force everyone to have their own username and password.
Thanks again for the answers
The intention is that if a user logs into the app, another person cannot log into the app using the same username and password, whether they are in the same location/network or not.
I have a client who doesn't care about security, but when others log in with his password that he shared, he thinks everyone wants to steal from him.
Typical of ignorant people, but the only method would be to block shared password access and force everyone to have their own username and password.
Thanks again for the answers
Marcelo Vitoria
Coding since 1984 Basic Sinclair!
Clipper Summer´87 - Visual Foxpro - VB6 - PHP
AppGini 24.11 - AdminLTE
https://www.workspaceservices.com.br
Coding since 1984 Basic Sinclair!
Clipper Summer´87 - Visual Foxpro - VB6 - PHP
AppGini 24.11 - AdminLTE
https://www.workspaceservices.com.br