Hello everyone,
I need help with something that is happening to me in my magazine. As I understand it, if the session_check_ip parameter is On, it does not allow the same user to be logged into the system at different IPs, am I correct? I mean, it doesn’t allow concurrent sessions, right? If so, my site is not working well, it does allow it, I log in from a PC with a user and then from another PC with the same user and it allows me without closing the session …
I am working with OJS 3.1.2
Hello @yusmelvis,
Please see this post here: What is "session_check_ip"? - #2 by ctgraham - for a more detailed explanation of how session_check_ip
works.
-Roger
Public Knowledge Project staff
Hello @rcgillis
Yes, I already read that publication and according to what I understood this parameter should serve to prevent the same user from having the same active session on two different IPs, or did I misunderstand? But precisely that does not work for me …
Hi @yusmelvis,
Two concurrent sessions for the same user, using different IPs, will be possible regardless of whether the session_check_ip
setting is active or not. What session_check_ip
prevents is the same session from being accepted from different IP addresses. This can happen legitimately if users are behind a pool of firewalls, as often happens with users in China.
Regards,
Alec Smecher
Public Knowledge Project Team
@asmecher , thanks for the reply. To see if I understood: I can have the same user from different IPs, because in the end each session will have a different id, right? what session_check prevents is that the same session id cannot be used on different IPs. If so, it’s not what I was looking …
What I need to know if there would be some way to implement that concurrent sessions are not allowed, that is, if I am already logged into one IP, it will not allow me to login to another.
@asmecher, can you help me? or someone who can
Hi @yusmelvis,
I suppose you would need to extend the login form (by editing the code or writing a plugin) so that a login by a user would delete any existing session entries associated with the same account.
Regards,
Alec Smecher
Public Knowledge Project Team
Hi @asmecher,
Could you tell me what files should I modify to achieve this? I’m a little disoriented, but I urgently need to implement this functionality …and how can I get the information if a user is already logged into the system but from another IP?
Thanks
Hi @yusmelvis,
I can’t guide you through this in detail, but in brief, the file to look at is lib/pkp/classes/security/Validation.inc.php
. The login
function there handles logins to the system. You’ll want to add some code to the login process that uses the deleteByUserId
function in SessionDAO
before creating the new login session.
Regards,
Alec Smecher
Public Knowledge Project Team
thanks @asmecher, I’ll start with the file you tell me. but a doubt, how can I know if the user already has an open session? is there a function to tell me? or some field in the database …
Hi @yusmelvis,
The sessions
table contains this information (see the user_id
column). You can access this table from PHP using the SessionDAO
class.
Regards,
Alec Smecher
Public Knowledge Project Team