Alpha Video Training
Results 1 to 16 of 16

Thread: Concurrent Logins of same User ID's?

  1. #1
    VAR csda1's Avatar
    Real Name
    Ira J Perlow
    Join Date
    Apr 2000
    Location
    Boston, Massachusetts, USA
    Posts
    3,530

    Default Concurrent Logins of same User ID's?

    When multiple login's using the same user ID occur on the WAS, I believe there is nothing stopping this.

    Assuming it was possible to use multiple login's with the same ID, would it be possible to programatically to the following:
    1. keep the new user from logging on, or
    2. shut down the other user login and allow the current one to continue
    If this is not possible (well easily anyway), it should be a feature of the security framework.

    Thanks!
    Regards,

    Ira J. Perlow
    Computer Systems Design


    CSDA A5 Products
    New - Free CSDA DiagInfo - v1.39, 30 Apr 2013
    CSDA Barcode Functions

    CSDA Code Utility
    CSDA Screen Capture



  2. #2
    Former Alpha Employee JerryBrightbill's Avatar
    Real Name
    Jerry Brightbill
    Join Date
    Apr 2000
    Posts
    5,173

    Default Re: Concurrent Logins of same User ID's?

    The security framework by default does not allow duplicate userid's to be assigned in the same project. If you have multiple projects, it is possible to use the same id in different projects as they don't share security.

    However, there is currently nothing to prevent the same user from logging in on multiple computers using the same id. Each browser instance opens in its own session and all security info runs in memory based on that session. The only way to determine if the user is logged in on another session is to search all open sessions, which would be problematic on a large system. Nothing is written to a file during login.

    If the user is working on one computer and the session on the other computer times out, the security information is cleared on the other session. If they have remember me selected, they can be automatically logged in on the current session. If they open the original session with remember me, they would automatically be logged in on that session.
    Last edited by JerryBrightbill; 08-09-2007 at 03:51 PM.

  3. #3
    VAR csda1's Avatar
    Real Name
    Ira J Perlow
    Join Date
    Apr 2000
    Location
    Boston, Massachusetts, USA
    Posts
    3,530

    Default Re: Concurrent Logins of same User ID's?

    Hi Jerry,

    It's not a question of allowing duplicate ID's, it's whether 2 people at 2 different computer's can login at the same with the same user ID. If this is something the security framework can't handle, perhaps it should (via user_id alias or similar).

    The most common case is either 2 or more persons are sharing the same ID (not normally desired but does fit the paradigm in some situations) or, more likely, did not log out from their previous computer (say the one at work versus home).

    I'd like us to be able to have a security framework choice of
    1. Not allowing the 2nd login
    2. Prompting the 2nd login as to whether to log out the 1st login, and if yes, logging out the 1st instance of the user ID and logging in the 2nd
    3. Automatically logging out the 1st user and logging in the 2nd user
    4. Allow as many duplicate user ID logins up to a specified maximum - In this case it would not be normally possible to logoff the earlier login's unless you wanted to logoff based upon oldest last activity.
    Finally, I'd like to do a check prior to logging a user in to see how many concurrent users from his group (company) are logged in (or potentially other criteria) and if it is larger than their maximum, deny access to that login.
    Regards,

    Ira J. Perlow
    Computer Systems Design


    CSDA A5 Products
    New - Free CSDA DiagInfo - v1.39, 30 Apr 2013
    CSDA Barcode Functions

    CSDA Code Utility
    CSDA Screen Capture



  4. #4
    Volunteer Moderator Peter.Greulich's Avatar
    Real Name
    Peter Greulich
    Join Date
    Apr 2000
    Location
    Boston, MA
    Posts
    11,654

    Default Re: Concurrent Logins of same User ID's?

    Not sure if this relevant, but, I believe all online email accounts allow multiple simultanelous logins to the same account as long as they are from different machines. I have never tried this with my Bank/credit card accounts but the same principle may apply. I assume the "server" (i.e typical web applications) does not want to track current logins to avoid problems of inadvertently locking valid users out. How can you tell if someone, say, closed the browser without pressing "logout"?

  5. #5
    Member
    Real Name
    Stanley (Mike) Parks
    Join Date
    Jan 2007
    Location
    Madison, SD
    Posts
    56

    Default Re: Concurrent Logins of same User ID's?

    I think what Ira is concerned about can be displayed with the diagram below:

    Example - 3 seperate people at 3 seperate computers logging in to the same Web App at the same time as the SAME USER and having equal security access designated to that user.


    Fred logs in as User 1 ----
    \
    John logs in as User 1 ------ XYZ Co. Web App
    /
    Mary logs in as User 1 ----

    There should be a way to prevent this from happening (ie Stolen or Shared ID's)

    Mike

  6. #6
    Volunteer Moderator Peter.Greulich's Avatar
    Real Name
    Peter Greulich
    Join Date
    Apr 2000
    Location
    Boston, MA
    Posts
    11,654

    Default Re: Concurrent Logins of same User ID's?

    Mike,

    If Fred closes his browser w/o logging out, how does the server know not to let John in?

  7. #7
    "Certified" Alphaholic
    Real Name
    Mike Christensen
    Join Date
    Nov 2005
    Location
    Michigan U.P.
    Posts
    5,937

    Default Re: Concurrent Logins of same User ID's?

    Not knowing but what I have experienced this must be possible as Yahoo Messenger limits a login to one person no matter what PC that person is on--I have many times kicked myself off of my main PC's Yahoo when logging in with the same user ID while on my laptop...so only ONE user ID logged on is allowed at any given time.
    Mike
    __________________________________________
    It is only when we forget all our learning that we begin to know.
    It's not what you look at that matters, it's what you see.
    Henry David Thoreau
    __________________________________________




  8. #8
    Alpha Software Employee AaronBBrown's Avatar
    Real Name
    Aaron Brown
    Join Date
    Feb 2001
    Location
    Waltham, MA
    Posts
    2,836

    Default Re: Concurrent Logins of same User ID's?

    Quote Originally Posted by MikeC View Post
    Not knowing but what I have experienced this must be possible as Yahoo Messenger limits a login to one person no matter what PC that person is on--I have many times kicked myself off of my main PC's Yahoo when logging in with the same user ID while on my laptop...so only ONE user ID logged on is allowed at any given time.
    Yahoo Messenger is a completely different model than a web application. Web Applications are disconnected. The only time data a connection exists is when data is being sent (a link was clicked). With YM, there is a persistent connection being kept open. When the connection goes away, the user has logged out. If someone logs into another place, YM can close the old connection.
    [FONT=Tahoma][SIZE=1][COLOR=Blue]Aaron Brown
    Alpha Software Development Team[/COLOR][/SIZE][/FONT]

  9. #9
    Former Alpha Employee JerryBrightbill's Avatar
    Real Name
    Jerry Brightbill
    Join Date
    Apr 2000
    Posts
    5,173

    Default Re: Concurrent Logins of same User ID's?

    If more than one user has obtained the same login and password, you already have a serious security breach and no system will protect you from abuse.

    The current system can be configured to limit the login time to the session, until the user closes the browser, or for some specified time. If this is a significant concern, set the expiration to the session or until the browser closes. When the session times out, or the user closes the browser, they are automatically logged off and must log in again regardless of what computer they use.

    The remember me functionality should perhaps be called automatic login, since it will automatically login the last user logged in from the specific computer if it is configured and was selected at login. While that gives the appearance of persistence, they are actually logged out automatically when the session times out. The next time they make a request to the server from the same computer, if remember me was selected, their information is used to log them in behind the scenes.

  10. #10
    VAR csda1's Avatar
    Real Name
    Ira J Perlow
    Join Date
    Apr 2000
    Location
    Boston, Massachusetts, USA
    Posts
    3,530

    Default Re: Concurrent Logins of same User ID's?

    Hi Jerry,

    You still haven't answered (at least clearly) my initial question.
    What happens in the current implementation of the security framework when the 2nd login of the same user ID logs in assuming the timeout of the 1st login has not yet occurred? Does it permit it, is there a meaningful message that says it is denied or what?
    The timeout can not be set to low, otherwise it would be extremely annoying to anyone who is logged in. The normal case (as I stated before) is the 2nd user is really the same as the 1st user that never logged out at the 1st station. This is not a breach of security of the user ID. They do not want to have to the return to the 1st computer or can't (e.g. business is locked up) but neither do they want to wait for the timeout. This is a feature that I (and I expect other developers would want) to conditionally allow for some specific applications and not for others.

    There is also the more odd case (I don't like it personally but then I am not the client) where the distribution of separate user ID/password's is not practical in a large organization. In that odd case, they hand out essentially the used id/password of the week to all, hence the need for allowing multiple logins up to an allowed count.

    In either case, since sometimes the web server is acting as a paid service, there needs to be a way to establish the total numbers of current users (the same or different login id's) that are currently logged in and that are not timed out that meet a criteria from some developer's table (e.g. the number logged in from a single company) and use that as an additional validation as to whether they can login or not. That means we need to be able to get the current list of logged in users, and compare that to the criteria from our table, and deny the log in request even if it met the user id & password. Can this be done?

    Thanks!
    Regards,

    Ira J. Perlow
    Computer Systems Design


    CSDA A5 Products
    New - Free CSDA DiagInfo - v1.39, 30 Apr 2013
    CSDA Barcode Functions

    CSDA Code Utility
    CSDA Screen Capture



  11. #11
    Member
    Real Name
    Clint Griggs
    Join Date
    Sep 2005
    Posts
    194

    Default Re: Concurrent Logins of same User ID's?

    Quote Originally Posted by csda1 View Post
    Hi Jerry,

    You still haven't answered (at least clearly) my initial question.
    What happens in the current implementation of the security framework when the 2nd login of the same user ID logs in assuming the timeout of the 1st login has not yet occurred? Does it permit it, is there a meaningful message that says it is denied or what?
    The timeout can not be set to low, otherwise it would be extremely annoying to anyone who is logged in. The normal case (as I stated before) is the 2nd user is really the same as the 1st user that never logged out at the 1st station. This is not a breach of security of the user ID. They do not want to have to the return to the 1st computer or can't (e.g. business is locked up) but neither do they want to wait for the timeout. This is a feature that I (and I expect other developers would want) to conditionally allow for some specific applications and not for others.

    There is also the more odd case (I don't like it personally but then I am not the client) where the distribution of separate user ID/password's is not practical in a large organization. In that odd case, they hand out essentially the used id/password of the week to all, hence the need for allowing multiple logins up to an allowed count.

    In either case, since sometimes the web server is acting as a paid service, there needs to be a way to establish the total numbers of current users (the same or different login id's) that are currently logged in and that are not timed out that meet a criteria from some developer's table (e.g. the number logged in from a single company) and use that as an additional validation as to whether they can login or not. That means we need to be able to get the current list of logged in users, and compare that to the criteria from our table, and deny the log in request even if it met the user id & password. Can this be done?

    Thanks!
    See if this helps. When a user logs in, capture their IP address (assuming they are not behind a firewall/proxy etc, it will be unique). Use that to indicate that different *people* are trying to log on at the same time with the same user name.

    Plan B. Use a secondary password to challenge the user with the password to make sure they really are that user, make it change automatically to prevent guessing (I do this myself).

    Plan C. If you know the location (eg. they always access from a corp computer.) you could place a cookie like file on that person's computer that your login procedure could check for (I'm pondering this option for my users).

    Good luck.

  12. #12
    Volunteer Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,843

    Default Re: Concurrent Logins of same User ID's?

    Ira, I can test thses scenerios out. I have five apps on the same server, all with the same username/pwd for my login. One is v7 style security, the others use S/F. From what I observe so far, they all act independantly.

    Logging in to one does not give me access to the others.
    Logging out of one does not affect my status on the others.
    Logging in as Admin on one does not give me Admin rights on the others.

    That means we need to be able to get the current list of logged in users, and compare that to the criteria from our table, and deny the log in request even if it met the user id & password. Can this be done?
    I don't think you can tweak S/F to deny all access based on currently active users. But you could easily do this in either a second phase, or first phase check.

    Second phase: Every time someone logs in count the number of active sessions (there's a function for that), and if greater then x, redirect them to a page that logs them out and displays the reason.

    First phase: You could also do this by adding code to your login A5W page that got that active session count and inhibited the login component using an IF-ELSE statement at the proper place on the A5W page.
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

  13. #13
    VAR csda1's Avatar
    Real Name
    Ira J Perlow
    Join Date
    Apr 2000
    Location
    Boston, Massachusetts, USA
    Posts
    3,530

    Default Re: Concurrent Logins of same User ID's?

    Hi Steve,

    Quote Originally Posted by Steve Wood View Post
    I have five apps on the same server, all with the same username/pwd for my login. One is v7 style security, the others use S/F. From what I observe so far, they all act independantly.

    Logging in to one does not give me access to the others.
    Logging out of one does not affect my status on the others.
    Logging in as Admin on one does not give me Admin rights on the others.
    That's good information above, I appreciate it. However, what I really want to know is what happens if several of the same user ID logins occur to the same app from different computers.

    Quote Originally Posted by Steve Wood View Post
    I don't think you can tweak S/F to deny all access based on currently active users. But you could easily do this in either a second phase, or first phase check.

    Second phase: Every time someone logs in count the number of active sessions (there's a function for that), and if greater then x, redirect them to a page that logs them out and displays the reason.

    First phase: You could also do this by adding code to your login A5W page that got that active session count and inhibited the login component using an IF-ELSE statement at the proper place on the A5W page.
    But imagine that company A has purchased access to my information system for at most 10 concurrent users, and company B has purchased for 25 concurrent users. They are all in the same app. I need to know how many of company B are currently active.

    I know I can get the number of active sessions, but can I get a list of the user ID's that are active? If I log them in and log them out when they explicitly do that, I know I can track that, but I'm not sure if I can do that when there is a session timeout or they close the browser.

    With the list User Id's of active sessions and comparing it to my company list, I could log them out immediately after they log on (although that seems wrong - they should never had been able to log in in the 1st place)


    Thanks.
    Regards,

    Ira J. Perlow
    Computer Systems Design


    CSDA A5 Products
    New - Free CSDA DiagInfo - v1.39, 30 Apr 2013
    CSDA Barcode Functions

    CSDA Code Utility
    CSDA Screen Capture



  14. #14
    Volunteer Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,843

    Default Re: Concurrent Logins of same User ID's?

    Here's a couple random tests from two computers, in two different office locations at the same time. I'm also on the server through RDP, so I can see what session folders are created. (I'm omnipresent today).

    • Can log in from two computers and everything appears to remain independant.
    • Logging in on one does not give me automatic access on the second.
    • Logging out of one does not affect my other connection.
    • I checked Remember Me on one of the logins, does not affect my Remember Me status (or lack of it) on the other machine.
    • Changing some value on one machine (like the spelling of my name) is immediately reflected in the other machine when I refresh the browser (duh).
    • It created two different session folders, one for each machine.


    NOW - if you make multiple connections from the SAME computer (either two browsers or two tabs on the same browser) - you are logged in on ALL Pages if you log in on one. And you are LOGGED OUT of all pages if you log out of one.
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

  15. #15
    Volunteer Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,843

    Default Re: Concurrent Logins of same User ID's?

    With the list User Id's of active sessions and comparing it to my company list, I could log them out immediately after they log on (although that seems wrong - they should never had been able to log in in the 1st place)
    I just don't know how you would do that across the board without affecting all connected users. You can't effectively change the S/F record for all users based on active sessions. If they are in the S/F with proper security, they have access when they log in. I think you have to work this without consideration of the S/F, in the way I described. You'd also want to make sure you choose the appropriate S/F login settings. You'd want to make sure their session ended as soon as they are idle x minutes, not waiting for them to close their browser, which they may never do.
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

  16. #16
    VAR csda1's Avatar
    Real Name
    Ira J Perlow
    Join Date
    Apr 2000
    Location
    Boston, Massachusetts, USA
    Posts
    3,530

    Default Re: Concurrent Logins of same User ID's?

    Hi Steve,

    Thanks for testing. That's very helpful.

    To clarify for others that means same user ID can log in as many times as they want to an application from many computers. This may not be a desirable operation when a user is paying for using your web application on a per concurrent user basis.

    Quote Originally Posted by Steve Wood View Post
    I just don't know how you would do that across the board without affecting all connected users. You can't effectively change the S/F record for all users based on active sessions. If they are in the S/F with proper security, they have access when they log in.
    I'm not sure I follow you 100%. I only want to log off selected active session users based on a criteria, not all users. I obviously can set a flag when they log in, and clear it if they log out, but don't think I can determine if the security framework has logged them off for any other reason.

    Without building a replacement security framework, I don't think this is doable unless Alpha gives us a function to return active session users, which shouldn't be difficult I suspect

    And it probably would be good for Alpha to add some other functions to make it easier to get supplementary info about the user that they can get via the browser. E.g. IP, browser type, OS type, referrer URL, and browser resolution.

    Another piece of information that is real difficult to ascertain is the total time a person has spent on your application. There are some applications that might be time based (especially for trial usages) so that you'd want to log them off after a certain number of minutes logged in for that session, or total cumlative time for all sessions. So you'd want to be able to get the length of time from their login to when they they logged out or were logged out. Probably an event that is called when a user logs out or is logged out would allow you to capture the time spent on the system, and a separate ability to check for current time a user has been active on the system.
    Regards,

    Ira J. Perlow
    Computer Systems Design


    CSDA A5 Products
    New - Free CSDA DiagInfo - v1.39, 30 Apr 2013
    CSDA Barcode Functions

    CSDA Code Utility
    CSDA Screen Capture



Similar Threads

  1. Using LDAP for logins
    By Howard G. Cornett in forum Web Application Server v6
    Replies: 1
    Last Post: 06-15-2005, 10:50 AM
  2. User Id's & Passwords
    By L. McIntosh in forum Alpha Five Version 1
    Replies: 5
    Last Post: 02-14-2005, 05:16 PM
  3. secure logins
    By Charles Brucks in forum Alpha Five Version 6
    Replies: 5
    Last Post: 08-05-2004, 05:01 PM
  4. toolbox concurrent help bubble
    By Luc Verlee in forum Alpha Five Version 5
    Replies: 2
    Last Post: 01-23-2004, 02:58 AM
  5. Concurrent Users
    By Ian Marshall in forum Alpha Five Version 5
    Replies: 6
    Last Post: 07-22-2003, 11:35 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •