Disallow to login simultaneously using the same credentials

I would like to disallow users to be able to login simultaneously using the same username/password. What is the best way to do that?

I plan to implement the following behaviour:

  1. A user logs in

  2. The script checks whether there are already logged users with the same credentials

  3. If there are some, the script immediately logs them out.

Are there some caveats I should be aware of? How to deal with "allow autologin" option?

Why don’t you change your auth method to check for logged == false also? (where logged is a 0/1 flag for each user and you set it to 1 to each login and 0 to each logout)

I would do this with an accessFilter. Put your login page in the guest auth portion. That way if they try to go to the login page while logged in, they’ll be redirected back to the index.

Use CDbHttpSession, you can extend it so that there’s a field for the user id. In CWebUser::afterLogin (you can test if it’s autologin from cookie via $fromCookie) you can execute a delete command:

Yii::app()->db->createCommand("DELETE FROM `session_table` WHERE `id` != :session_id AND `user_id` = :user_id")->execute(array(':session_id' => Yii::app()->session->sessionID, ':user_id' => $this->id));

That is a great tip Y!!, thanks

Thanks for the answer Y!!. Your solution works, but only when a user does not have autologin option enabled. Otherwise, when I delete the corresponding row from the session table, a user’s session will automatically renew on the next page refresh. I gotta figure out how to mark a user’s cookie as invalid

I found this thread in the forum and I have a question concerning the problem. Is it possible to inform the user, for which I destroyed the session with the delete statement, that he got logged out?

There must be a place in the application where the session is checked, or if the user is logged in. Probably that would be the best place to put that code, but I don’t know where this is…

I appreciate any help!