Alpha Software Mobile Development Tools:   Alpha Anywhere    |   Alpha TransForm subscribe to our YouTube Channel  Follow Us on LinkedIn  Follow Us on Twitter  Follow Us on Facebook

Announcement

Collapse

The Alpha Software Forum Participation Guidelines

The Alpha Software Forum is a free forum created for Alpha Software Developer Community to ask for help, exchange ideas, and share solutions. Alpha Software strives to create an environment where all members of the community can feel safe to participate. In order to ensure the Alpha Software Forum is a place where all feel welcome, forum participants are expected to behave as follows:
  • Be professional in your conduct
  • Be kind to others
  • Be constructive when giving feedback
  • Be open to new ideas and suggestions
  • Stay on topic


Be sure all comments and threads you post are respectful. Posts that contain any of the following content will be considered a violation of your agreement as a member of the Alpha Software Forum Community and will be moderated:
  • Spam.
  • Vulgar language.
  • Quotes from private conversations without permission, including pricing and other sales related discussions.
  • Personal attacks, insults, or subtle put-downs.
  • Harassment, bullying, threatening, mocking, shaming, or deriding anyone.
  • Sexist, racist, homophobic, transphobic, ableist, or otherwise discriminatory jokes and language.
  • Sexually explicit or violent material, links, or language.
  • Pirated, hacked, or copyright-infringing material.
  • Encouraging of others to engage in the above behaviors.


If a thread or post is found to contain any of the content outlined above, a moderator may choose to take one of the following actions:
  • Remove the Post or Thread - the content is removed from the forum.
  • Place the User in Moderation - all posts and new threads must be approved by a moderator before they are posted.
  • Temporarily Ban the User - user is banned from forum for a period of time.
  • Permanently Ban the User - user is permanently banned from the forum.


Moderators may also rename posts and threads if they are too generic or do not property reflect the content.

Moderators may move threads if they have been posted in the incorrect forum.

Threads/Posts questioning specific moderator decisions or actions (such as "why was a user banned?") are not allowed and will be removed.

The owners of Alpha Software Corporation (Forum Owner) reserve the right to remove, edit, move, or close any thread for any reason; or ban any forum member without notice, reason, or explanation.

Community members are encouraged to click the "Report Post" icon in the lower left of a given post if they feel the post is in violation of the rules. This will alert the Moderators to take a look.

Alpha Software Corporation may amend the guidelines from time to time and may also vary the procedures it sets out where appropriate in a particular case. Your agreement to comply with the guidelines will be deemed agreement to any changes to it.



Bonus TIPS for Successful Posting

Try a Search First
It is highly recommended that a Search be done on your topic before posting, as many questions have been answered in prior posts. As with any search engine, the shorter the search term, the more "hits" will be returned, but the more specific the search term is, the greater the relevance of those "hits". Searching for "table" might well return every message on the board while "tablesum" would greatly restrict the number of messages returned.

When you do post
First, make sure you are posting your question in the correct forum. For example, if you post an issue regarding Desktop applications on the Mobile & Browser Applications board , not only will your question not be seen by the appropriate audience, it may also be removed or relocated.

The more detail you provide about your problem or question, the more likely someone is to understand your request and be able to help. A sample database with a minimum of records (and its support files, zipped together) will make it much easier to diagnose issues with your application. Screen shots of error messages are especially helpful.

When explaining how to reproduce your problem, please be as detailed as possible. Describe every step, click-by-click and keypress-by-keypress. Otherwise when others try to duplicate your problem, they may do something slightly different and end up with different results.

A note about attachments
You may only attach one file to each message. Attachment file size is limited to 2MB. If you need to include several files, you may do so by zipping them into a single archive.

If you forgot to attach your files to your post, please do NOT create a new thread. Instead, reply to your original message and attach the file there.

When attaching screen shots, it is best to attach an image file (.BMP, .JPG, .GIF, .PNG, etc.) or a zip file of several images, as opposed to a Word document containing the screen shots. Because Word documents are prone to viruses, many message board users will not open your Word file, therefore limiting their ability to help you.

Similarly, if you are uploading a zipped archive, you should simply create a .ZIP file and not a self-extracting .EXE as many users will not run your EXE file.
See more
See less

Concurrent Logins of same User ID's?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Concurrent Logins of same User ID's?

    When multiple login's using the same user ID occur on the WAS, I believe there is nothing stopping this.

    Assuming it was possible to use multiple login's with the same ID, would it be possible to programatically to the following:
    1. keep the new user from logging on, or
    2. shut down the other user login and allow the current one to continue
    If this is not possible (well easily anyway), it should be a feature of the security framework.

    Thanks!
    Regards,

    Ira J. Perlow
    Computer Systems Design


    CSDA A5 Products
    New - Free CSDA DiagInfo - v1.39, 30 Apr 2013
    CSDA Barcode Functions

    CSDA Code Utility
    CSDA Screen Capture



    #2
    Re: Concurrent Logins of same User ID's?

    The security framework by default does not allow duplicate userid's to be assigned in the same project. If you have multiple projects, it is possible to use the same id in different projects as they don't share security.

    However, there is currently nothing to prevent the same user from logging in on multiple computers using the same id. Each browser instance opens in its own session and all security info runs in memory based on that session. The only way to determine if the user is logged in on another session is to search all open sessions, which would be problematic on a large system. Nothing is written to a file during login.

    If the user is working on one computer and the session on the other computer times out, the security information is cleared on the other session. If they have remember me selected, they can be automatically logged in on the current session. If they open the original session with remember me, they would automatically be logged in on that session.
    Last edited by JerryBrightbill; 08-09-2007, 02:51 PM.

    Comment


      #3
      Re: Concurrent Logins of same User ID's?

      Hi Jerry,

      It's not a question of allowing duplicate ID's, it's whether 2 people at 2 different computer's can login at the same with the same user ID. If this is something the security framework can't handle, perhaps it should (via user_id alias or similar).

      The most common case is either 2 or more persons are sharing the same ID (not normally desired but does fit the paradigm in some situations) or, more likely, did not log out from their previous computer (say the one at work versus home).

      I'd like us to be able to have a security framework choice of
      1. Not allowing the 2nd login
      2. Prompting the 2nd login as to whether to log out the 1st login, and if yes, logging out the 1st instance of the user ID and logging in the 2nd
      3. Automatically logging out the 1st user and logging in the 2nd user
      4. Allow as many duplicate user ID logins up to a specified maximum - In this case it would not be normally possible to logoff the earlier login's unless you wanted to logoff based upon oldest last activity.
      Finally, I'd like to do a check prior to logging a user in to see how many concurrent users from his group (company) are logged in (or potentially other criteria) and if it is larger than their maximum, deny access to that login.
      Regards,

      Ira J. Perlow
      Computer Systems Design


      CSDA A5 Products
      New - Free CSDA DiagInfo - v1.39, 30 Apr 2013
      CSDA Barcode Functions

      CSDA Code Utility
      CSDA Screen Capture


      Comment


        #4
        Re: Concurrent Logins of same User ID's?

        Not sure if this relevant, but, I believe all online email accounts allow multiple simultanelous logins to the same account as long as they are from different machines. I have never tried this with my Bank/credit card accounts but the same principle may apply. I assume the "server" (i.e typical web applications) does not want to track current logins to avoid problems of inadvertently locking valid users out. How can you tell if someone, say, closed the browser without pressing "logout"?
        Peter
        AlphaBase Solutions, LLC

        [email protected]
        https://www.alphabasesolutions.com


        Comment


          #5
          Re: Concurrent Logins of same User ID's?
          I think what Ira is concerned about can be displayed with the diagram below:

          Example - 3 seperate people at 3 seperate computers logging in to the same Web App at the same time as the SAME USER and having equal security access designated to that user.


          Fred logs in as User 1 ----
          \
          John logs in as User 1 ------ XYZ Co. Web App
          /
          Mary logs in as User 1 ----

          There should be a way to prevent this from happening (ie Stolen or Shared ID's)

          Mike

          Comment


            #6
            Re: Concurrent Logins of same User ID's?

            Mike,

            If Fred closes his browser w/o logging out, how does the server know not to let John in?
            Peter
            AlphaBase Solutions, LLC

            [email protected]
            https://www.alphabasesolutions.com


            Comment


              #7
              Re: Concurrent Logins of same User ID's?

              Not knowing but what I have experienced this must be possible as Yahoo Messenger limits a login to one person no matter what PC that person is on--I have many times kicked myself off of my main PC's Yahoo when logging in with the same user ID while on my laptop...so only ONE user ID logged on is allowed at any given time.
              Mike
              __________________________________________
              It is only when we forget all our learning that we begin to know.
              It's not what you look at that matters, it's what you see.
              Henry David Thoreau
              __________________________________________



              Comment


                #8
                Re: Concurrent Logins of same User ID's?

                Originally posted by MikeC View Post
                Not knowing but what I have experienced this must be possible as Yahoo Messenger limits a login to one person no matter what PC that person is on--I have many times kicked myself off of my main PC's Yahoo when logging in with the same user ID while on my laptop...so only ONE user ID logged on is allowed at any given time.
                Yahoo Messenger is a completely different model than a web application. Web Applications are disconnected. The only time data a connection exists is when data is being sent (a link was clicked). With YM, there is a persistent connection being kept open. When the connection goes away, the user has logged out. If someone logs into another place, YM can close the old connection.
                Aaron Brown
                Alpha Software Development Team

                Comment


                  #9
                  Re: Concurrent Logins of same User ID's?

                  If more than one user has obtained the same login and password, you already have a serious security breach and no system will protect you from abuse.

                  The current system can be configured to limit the login time to the session, until the user closes the browser, or for some specified time. If this is a significant concern, set the expiration to the session or until the browser closes. When the session times out, or the user closes the browser, they are automatically logged off and must log in again regardless of what computer they use.

                  The remember me functionality should perhaps be called automatic login, since it will automatically login the last user logged in from the specific computer if it is configured and was selected at login. While that gives the appearance of persistence, they are actually logged out automatically when the session times out. The next time they make a request to the server from the same computer, if remember me was selected, their information is used to log them in behind the scenes.

                  Comment


                    #10
                    Re: Concurrent Logins of same User ID's?

                    Hi Jerry,

                    You still haven't answered (at least clearly) my initial question.
                    What happens in the current implementation of the security framework when the 2nd login of the same user ID logs in assuming the timeout of the 1st login has not yet occurred? Does it permit it, is there a meaningful message that says it is denied or what?
                    The timeout can not be set to low, otherwise it would be extremely annoying to anyone who is logged in. The normal case (as I stated before) is the 2nd user is really the same as the 1st user that never logged out at the 1st station. This is not a breach of security of the user ID. They do not want to have to the return to the 1st computer or can't (e.g. business is locked up) but neither do they want to wait for the timeout. This is a feature that I (and I expect other developers would want) to conditionally allow for some specific applications and not for others.

                    There is also the more odd case (I don't like it personally but then I am not the client) where the distribution of separate user ID/password's is not practical in a large organization. In that odd case, they hand out essentially the used id/password of the week to all, hence the need for allowing multiple logins up to an allowed count.

                    In either case, since sometimes the web server is acting as a paid service, there needs to be a way to establish the total numbers of current users (the same or different login id's) that are currently logged in and that are not timed out that meet a criteria from some developer's table (e.g. the number logged in from a single company) and use that as an additional validation as to whether they can login or not. That means we need to be able to get the current list of logged in users, and compare that to the criteria from our table, and deny the log in request even if it met the user id & password. Can this be done?

                    Thanks!
                    Regards,

                    Ira J. Perlow
                    Computer Systems Design


                    CSDA A5 Products
                    New - Free CSDA DiagInfo - v1.39, 30 Apr 2013
                    CSDA Barcode Functions

                    CSDA Code Utility
                    CSDA Screen Capture


                    Comment


                      #11
                      Re: Concurrent Logins of same User ID's?

                      Originally posted by csda1 View Post
                      Hi Jerry,

                      You still haven't answered (at least clearly) my initial question.
                      What happens in the current implementation of the security framework when the 2nd login of the same user ID logs in assuming the timeout of the 1st login has not yet occurred? Does it permit it, is there a meaningful message that says it is denied or what?
                      The timeout can not be set to low, otherwise it would be extremely annoying to anyone who is logged in. The normal case (as I stated before) is the 2nd user is really the same as the 1st user that never logged out at the 1st station. This is not a breach of security of the user ID. They do not want to have to the return to the 1st computer or can't (e.g. business is locked up) but neither do they want to wait for the timeout. This is a feature that I (and I expect other developers would want) to conditionally allow for some specific applications and not for others.

                      There is also the more odd case (I don't like it personally but then I am not the client) where the distribution of separate user ID/password's is not practical in a large organization. In that odd case, they hand out essentially the used id/password of the week to all, hence the need for allowing multiple logins up to an allowed count.

                      In either case, since sometimes the web server is acting as a paid service, there needs to be a way to establish the total numbers of current users (the same or different login id's) that are currently logged in and that are not timed out that meet a criteria from some developer's table (e.g. the number logged in from a single company) and use that as an additional validation as to whether they can login or not. That means we need to be able to get the current list of logged in users, and compare that to the criteria from our table, and deny the log in request even if it met the user id & password. Can this be done?

                      Thanks!
                      See if this helps. When a user logs in, capture their IP address (assuming they are not behind a firewall/proxy etc, it will be unique). Use that to indicate that different *people* are trying to log on at the same time with the same user name.

                      Plan B. Use a secondary password to challenge the user with the password to make sure they really are that user, make it change automatically to prevent guessing (I do this myself).

                      Plan C. If you know the location (eg. they always access from a corp computer.) you could place a cookie like file on that person's computer that your login procedure could check for (I'm pondering this option for my users).

                      Good luck.

                      Comment


                        #12
                        Re: Concurrent Logins of same User ID's?

                        Ira, I can test thses scenerios out. I have five apps on the same server, all with the same username/pwd for my login. One is v7 style security, the others use S/F. From what I observe so far, they all act independantly.

                        Logging in to one does not give me access to the others.
                        Logging out of one does not affect my status on the others.
                        Logging in as Admin on one does not give me Admin rights on the others.

                        That means we need to be able to get the current list of logged in users, and compare that to the criteria from our table, and deny the log in request even if it met the user id & password. Can this be done?
                        I don't think you can tweak S/F to deny all access based on currently active users. But you could easily do this in either a second phase, or first phase check.

                        Second phase: Every time someone logs in count the number of active sessions (there's a function for that), and if greater then x, redirect them to a page that logs them out and displays the reason.

                        First phase: You could also do this by adding code to your login A5W page that got that active session count and inhibited the login component using an IF-ELSE statement at the proper place on the A5W page.
                        Steve Wood
                        See my profile on IADN

                        Comment


                          #13
                          Re: Concurrent Logins of same User ID's?

                          Hi Steve,

                          Originally posted by Steve Wood View Post
                          I have five apps on the same server, all with the same username/pwd for my login. One is v7 style security, the others use S/F. From what I observe so far, they all act independantly.

                          Logging in to one does not give me access to the others.
                          Logging out of one does not affect my status on the others.
                          Logging in as Admin on one does not give me Admin rights on the others.
                          That's good information above, I appreciate it. However, what I really want to know is what happens if several of the same user ID logins occur to the same app from different computers.

                          Originally posted by Steve Wood View Post
                          I don't think you can tweak S/F to deny all access based on currently active users. But you could easily do this in either a second phase, or first phase check.

                          Second phase: Every time someone logs in count the number of active sessions (there's a function for that), and if greater then x, redirect them to a page that logs them out and displays the reason.

                          First phase: You could also do this by adding code to your login A5W page that got that active session count and inhibited the login component using an IF-ELSE statement at the proper place on the A5W page.
                          But imagine that company A has purchased access to my information system for at most 10 concurrent users, and company B has purchased for 25 concurrent users. They are all in the same app. I need to know how many of company B are currently active.

                          I know I can get the number of active sessions, but can I get a list of the user ID's that are active? If I log them in and log them out when they explicitly do that, I know I can track that, but I'm not sure if I can do that when there is a session timeout or they close the browser.

                          With the list User Id's of active sessions and comparing it to my company list, I could log them out immediately after they log on (although that seems wrong - they should never had been able to log in in the 1st place)


                          Thanks.
                          Regards,

                          Ira J. Perlow
                          Computer Systems Design


                          CSDA A5 Products
                          New - Free CSDA DiagInfo - v1.39, 30 Apr 2013
                          CSDA Barcode Functions

                          CSDA Code Utility
                          CSDA Screen Capture


                          Comment


                            #14
                            Re: Concurrent Logins of same User ID's?

                            Here's a couple random tests from two computers, in two different office locations at the same time. I'm also on the server through RDP, so I can see what session folders are created. (I'm omnipresent today).
                            • Can log in from two computers and everything appears to remain independant.
                            • Logging in on one does not give me automatic access on the second.
                            • Logging out of one does not affect my other connection.
                            • I checked Remember Me on one of the logins, does not affect my Remember Me status (or lack of it) on the other machine.
                            • Changing some value on one machine (like the spelling of my name) is immediately reflected in the other machine when I refresh the browser (duh).
                            • It created two different session folders, one for each machine.


                            NOW - if you make multiple connections from the SAME computer (either two browsers or two tabs on the same browser) - you are logged in on ALL Pages if you log in on one. And you are LOGGED OUT of all pages if you log out of one.
                            Steve Wood
                            See my profile on IADN

                            Comment


                              #15
                              Re: Concurrent Logins of same User ID's?

                              With the list User Id's of active sessions and comparing it to my company list, I could log them out immediately after they log on (although that seems wrong - they should never had been able to log in in the 1st place)
                              I just don't know how you would do that across the board without affecting all connected users. You can't effectively change the S/F record for all users based on active sessions. If they are in the S/F with proper security, they have access when they log in. I think you have to work this without consideration of the S/F, in the way I described. You'd also want to make sure you choose the appropriate S/F login settings. You'd want to make sure their session ended as soon as they are idle x minutes, not waiting for them to close their browser, which they may never do.
                              Steve Wood
                              See my profile on IADN

                              Comment

                              Working...
                              X