Has anyone managed to implement a system that prevents multiple logins for the same user name/id? I had a solution working with user sessions pre-5.1/5.2. My solution involved deleting an old session identifier that was stored in the User table when a user logged in. However, my understanding that Laravel >5.1 now rotates the session id to avoid session fixation, so this doesn't work.
I am using the db session handler for testing at this point. I have attempted to manually delete the session from the sessions table in the db to find that the user stays logged in because of the cookie no doubt.
How can I force other users logged in with the same credentials to be kicked off and ensure only one person per account is signed in at any given time? Any help is greatly appreciated.
If anyone is interested in a solution, I did the following that works.
First, I created a column in the User table called SingleUserToken. Whenever a user logs in, that field is updated to a random, size 16, string. At the same time, the same string is entered as part of the user's session under the SingleUserToken key.
I then created a middleware that runs on every request and protected route. The middleware simple verifies that the SingleUserToken value in the session matches the one in the database table. If they do not, the user is signed out.
This works because if the same credentials are used to log into a service, the SingleUserToken value on the database will change but the session value for the first user that is logged in will stay the same and thus not match on the next request, logging the user out and thus ensuring that only one user per user name/id/whatever can be logged in at a time.
Sign in to participate in this thread!
The Laravel portal for problem solving, knowledge sharing and community building.
The community