Block login if it is already logged in.

The recommended method of customizing your AppGini-generated application is through hooks. But sometimes you might need to add functionality not accessible through hooks. You can discuss this here.
Post Reply
User avatar
Marcelo Vitoria
Veteran Member
Posts: 56
Joined: 2016-10-11 12:08

Block login if it is already logged in.

Post by Marcelo Vitoria » 2023-02-19 15:10

Hello friends,

I would like to know if there is the possibility of blocking the login in the application if it is already logged in.

Best regards.

Marcelo
Marcelo Vitoria
Coding since 1984 Basic Sinclair!
Clipper Summer´87 - Visual Foxpro - VB6
AppGini 24.10 - AdminLTE
https://www.workspace.inf.br

User avatar
D Oliveira
AppGini Super Hero
AppGini Super Hero
Posts: 344
Joined: 2018-03-04 09:30
Location: Orlando, FL

Re: Block login if it is already logged in.

Post by D Oliveira » 2023-02-19 21:12

... it is already logged in ... what do you mean by "it"? is it a specific user? this is very a vague question please elaborate providing details, examples and ideally some code so we can take a look at.

peebee
AppGini Super Hero
AppGini Super Hero
Posts: 349
Joined: 2013-03-21 04:37

Re: Block login if it is already logged in.

Post by peebee » 2023-02-20 22:32

Presumably the same question as your own back in 2019 ;)

viewtopic.php?t=3340

Some helpful tips from Ahmad but no definitive code

User avatar
jsetzer
AppGini Super Hero
AppGini Super Hero
Posts: 1792
Joined: 2018-07-06 06:03
Location: Kiel, Germany
Contact:

Re: Block login if it is already logged in.

Post by jsetzer » 2023-02-21 05:44

There are several problems:

User can open several browser tabs on the same machine and also on other devices.

Additionally there may be impersonated cURL calls or javascript fetches to some AppGini API handler.

HTTP AGENT detection could not distinguish between different tabs in the same browser.

Comparing the IP addresses will not work when using different browsers on the same machine or when using incognito mode in the same browser.

You would need some kind of fingerprint, generated on clientside, stored on serverside, additionally you need some "keep alive" interval for telling the server this connection, identified by fingerprint, is still alive. Then, when logging in into the same site from a different machine or different browser (=different fingerprint), deny access and automatically logout. Or allow access and logout the other connection.

Even fingerprinting can only give a good level of certainty but never 100% accuracy.

This is possible to do but not trivial and requires a lot of Javascript code using AJAX and PHP code to write.

Just my 2 cents.
Kind regards,
<js />

My AppGini Blog:
https://appgini.bizzworxx.de/blog

You can help us helping you:
Please always put code fragments inside [code]...[/code] blocks for better readability

AppGini 24.10 Revision 1579 + all AppGini Helper tools

User avatar
D Oliveira
AppGini Super Hero
AppGini Super Hero
Posts: 344
Joined: 2018-03-04 09:30
Location: Orlando, FL

Re: Block login if it is already logged in.

Post by D Oliveira » 2023-02-21 20:32

or just whitelist certain inbound ip's in your server if you want employees to log in only at the office physical location (assuming that's your case scenario) :)

User avatar
D Oliveira
AppGini Super Hero
AppGini Super Hero
Posts: 344
Joined: 2018-03-04 09:30
Location: Orlando, FL

Re: Block login if it is already logged in.

Post by D Oliveira » 2023-02-21 21:12

jsetzer wrote:
2023-02-21 05:44
This is possible to do but not trivial and requires a lot of Javascript code using AJAX and PHP code to write.

you're perfectly accurate in your analysis but I will say tools like chat GPT nowadays give us a great jump start for this kind of thing, just fed this prompt and got the following:

As you mentioned, a more robust solution could involve generating a unique client-side fingerprint that is stored on the server-side along with the user's session. This fingerprint can be generated by combining various browser and device characteristics such as browser type, screen size, installed fonts, etc. There are libraries and tools available that can help generate such a fingerprint, such as fingerprintjs2.

In addition to the fingerprint, a "keep alive" mechanism could be implemented, where the client periodically sends a request to the server to confirm the session is still active. If the server does not receive a keep alive request within a certain time frame, it can assume that the session has ended and log out the user.

Here are some steps you can follow to implement this approach:

Use a library such as fingerprintjs2 to generate a unique client-side fingerprint that is sent to the server during login:

javascript

Code: Select all

new Fingerprint2().get(function(result) {
  // result is a unique identifier for the client's browser and device
  // send result to the server during login
});
Store the fingerprint along with the user's session ID in the database:

php

Code: Select all

// Store the fingerprint along with the session ID in the database
$sql = "INSERT INTO user_sessions (user_id, session_id, fingerprint, last_activity) VALUES (?, ?, ?, NOW())";
$stmt = $pdo->prepare($sql);
$stmt->execute([$user_id, $session_id, $fingerprint]);
Implement a "keep alive" mechanism on the client side, using AJAX to send periodic requests to the server:

javascript

Code: Select all

setInterval(function() {
  // send an AJAX request to the server to confirm the session is still active
}, 60000); // send request every minute
On the server side, check the fingerprint and last activity time for each session during login:

php

Code: Select all

// Retrieve the user's session and fingerprint from the database
$sql = "SELECT * FROM user_sessions WHERE session_id = ?";
$stmt = $pdo->prepare($sql);
$stmt->execute([$session_id]);
$session = $stmt->fetch();

// Check if the fingerprint matches the one stored in the database
if ($session['fingerprint'] !== $fingerprint) {
  // Log out the user and display an error message
}
Log out the user and delete the session record from the database when the user logs out or the session expires:

php

Code: Select all

// Delete the session record from the database
$sql = "DELETE FROM user_sessions WHERE session_id = ?";
$stmt = $pdo->prepare($sql);
$stmt->execute([$session_id]);

// Destroy the session
session_destroy();
Note that while this approach can improve session tracking, it is not foolproof and can still be circumvented by determined attackers. Therefore, it is important to consider additional security measures, such as using HTTPS, implementing CSRF protection, and validating user input.

User avatar
Marcelo Vitoria
Veteran Member
Posts: 56
Joined: 2016-10-11 12:08

Re: Block login if it is already logged in.

Post by Marcelo Vitoria » 2023-09-22 16:22

Hello friends, thank you for your help.

The intention is that if a user logs into the app, another person cannot log into the app using the same username and password, whether they are in the same location/network or not.

I have a client who doesn't care about security, but when others log in with his password that he shared, he thinks everyone wants to steal from him.

Typical of ignorant people, but the only method would be to block shared password access and force everyone to have their own username and password.

Thanks again for the answers
Marcelo Vitoria
Coding since 1984 Basic Sinclair!
Clipper Summer´87 - Visual Foxpro - VB6
AppGini 24.10 - AdminLTE
https://www.workspace.inf.br

Post Reply