Deny simultanous Login with the same username

Dear Community.
How can I prevent several people from logging in at the same time with the same access data?
I cannot prevent the access data from being passed on to others, who can then view content for members. It should be possible to compare the user name entered into the login form with the user name currently logged in.
I thought something like:
if($_POST[‘username’] == $uinfo->getUserName()) {echo ‘User is allready logged in.’;} else → forward to login…

Thanks in advance


There was an addon designed for this purpose. I had a look and couldn’t find it. Maybe it was back on c5.6 in the now disappeared 5.6 marketplace.

(vague recollection here) I think it worked by creating a signature of a login including the IP address and comparing the ongoing interactions with that signature. A second login would have a different signature and be rejected. The signature would be cleaned on logout.

It wasn’t perfect. A user who left their PC without logging out and went to another PC could get blocked. There was some kind of time gate on the stickiness to help avoid that scenario.

@mnakalay has done a lot of work with authentication and may remember more.

Wasn’t that @mnakalay that had that 5.6 package ??

Yes, I had found the block, but there is no update. ( Simultaneous Login Killer)

But yesterday I discovered by chance that I couldn’t log in to the community twice… I had forgotten to log out on my Mac and later I tried to log in with my iPhone. Then I was redirected to a page that said “You are allready logged in” and underneath was ONLY a logout button. So I had to log out before I could log in.

Is the community running with C5.9? Maybe that a new feature.

I also found this article on the subject:

Yes, that was it. Reading the marketplace, it doesn’t work anything like I thought I remembered. Much cleverer.

@enlil I’m honored you remembered it was my package :slight_smile:
What the package did is now included in the core. You can set it so a user gets logged out if their IP or user agent changes mid session.

That’s nice of you to share it with us. But how do I do that? It doesn’t seem to me to be done with a few lines of code in PHP. Is there a specific file in the core that needs to be changed?

Ahh, /dashboard/system/registration/automated_logout

Yes, it looks good, but it doesn’t seem to work. I can log in with my Mac (telekom) AND with my IPhone (vodafone) - each with different IPs and different browsers - with the same log in data.

It can’t be that difficult to list all logged-in users and systematically check whether a user who wants to log in is already logged in. You can do the same with Spotify.

That’s strange. It worked for me. I was working with a client using the same account and we kept getting logged out until I changed that parameter.

Normally what should happen is, once the second device is logged in, if you return to the first one it gets logged out. If you log back into the first device and go back to the second one it gets logged out.

Yes, that’s strange. I also unchecked both boxes, saved them and checked them again. No success. Clearing the cache memory didn’t help either.
Well, I’ll keep thinking about it. Sometimes it’s something really simple. And the forum here has never really let me down… :wink:

Things like routers and proxies confuse the IP address. It could be both devices are seen as having the same IP address.

No, if I display the IPs on the login page, I can see that they are different. One connection is via landline, the other is a 5G connection without a router.
I have also come up with a function that allows certain IP ranges to access premium content (university libraries etc.). These addresses are also clear and unambiguous.