Preventing multiple log ons by same user id.

vinsnash

I'm trying to use this rule to prevent the same user logging on multiple times. It doesn't seem to work. Any suggestions

If EXISTS SystemUser WHERE (SystemUser.LoginName=ThisRegularUser.LoginName AND SystemUser.ID<>ThisRegularUser.ID) Then REPORT ERROR 'User with this login ID already logged in.'

Thanks

Vins nash

vinsnash

A little more detail.

I need to prevent a user from sharing the login name and password with another user to allow a concurrent log in with the same name and password from another location.

The manual says the LoginName attribute of the LoginNotification contains the LoginName of the current user. How can I compare that with what has been entered in the login dialog to prevent a subsequent login with the same LoginName?

technopak

Hi Vins,

I think you are really up against it with this one !

I've tried to get various rules to fire based on LoginNotification attributes but the rules have no effect. It seems that the user must be logged in before a rule can be processed and actions such as REPORT ERROR seem to be processed before the login is complete. I cannot stop the login process

Even if it was possible to prohibit duplicate/multiple logins by checking against LoggedInRegularUser, there is a still big problem -

If your users don't logout correctly using the logout button, they continue to be LoggedIn as far as Aware is concerned for a period of time (not specified anywhere that I could find). So, if they simply close the browser rather than logout properly, they won't be able to login again until that period of time has elapsed and Aware logs them out.

Very tricky indeed !

I'll be watching this one with interest.

Peter

aware_support

The login notification is just this - a notification. It cannot prevent people from logging in.

If you want to prevent people from logging in write a process and add it as an initialisation process for the visual perspective for the access level. A REPORT ERROR in such a process would stop the login and issue an error. The process can refer to the user as a LoggedInRegularUser (or LoggedInSystemUser). Conceptually the login is considered successful (this is why you can use LoggedIn... user), but then a REPORT ERROR in the initialisation process is treated as a login abort.

technopak

Thanks support,

Can you confirm the time period for which a user is maintained as logged in after they exit the application by closing the browser window ?

Peter

vinsnash

I'm sorry but I don't follow this. I'm trying to stop a user from using another PC to log on when already logged on in an attempt to have two users editing the same set of records. Some of our member units are small enough that they will undoubtedly "step" on each others updates. From experience with other systems I know this will happen and I don't see an AwareIM "record locking" mechanism.

If LoggedInRegularUser, SystemUser, and Notification objects are set on the log in what test comparison will tell me that the user attempting a new log in is already a "LoggedInRegularUser" at that time?

I can conceive of setting a flag as part of a form initialization, but I don't see how a flag can be cleared on a 'save' or 'log out'.

Vins Nash

technopak

Vins,

It's easy enough to create a LoggedIn BO and by adding a rule to the login notification and logout notification you can post a User's ID into the LoggedIn BO at login and delete it at logout.

What you could then do is create rules on the LoggedIn BO which reports an error and then directs a user to the logged out page if the User ID of a user logging in already exists in the LoggedIn BO. This would prohibit multiple/concurrent logins.

But you still have the problem that the user can quit your app by just exiting the browser - and continue to be logged in by Aware. Subsequent login attempts (before Aware automatically logs your users out) will be prohibited by the technique suggested above.

So what I'm saying is that you can create a system to stop duplicate logins - but at the same time you are creating a huge problem if users don't logout properly using the logout button.

Peter

aware_support

The duration of the session is specified in the timeout settings in the Aware IM Control Panel.

It shouldn't matter, though. If you issue a REPORT ERROR in your initialisation process, they won't be able to get through to the first page.

technopak

Hi,

I'm happy that it is possible to prevent a user logging in if they are already logged in by the system.

The big problem I see is that many users don't bother to click the logout button to exit my apps - they simply close the browser, leaving them still logged in by Aware.

If a duplicate login preventer is in place, they will not be able to login again until the timeout period has expired. That can only lead to many incidents of discontent with the users.

I know that some Accounts Software Packages have a similar issue and what they do is they allow an administrator to clear the false logged in status of a user, but I wouldn't like to be the administrator for a system with many users experiencing this phenomenon :?

I think the 'close the browser/still logged in' behaviour makes duplicate login control almost an impossible task.

Good luck with it.

Peter

BobK

The duration of the session is specified in the timeout settings in the Aware IM Control Panel.

I am aware of this setting, but I still have users that appear logged-in and inactive long after this setting should have timed them out.

I have multiple queries with automatic refresh every several minutes.

My question is: would these automatic refreshes appear to the AwareIM server as activity and prevent the user from timing out?

Thanks,

aware_support

There is now the NMB_OF_SESSIONS function that can be used to check how many sessions the currently logged in user has. There is also a LOGOUT action that can forcefully logout the current user.

So if you want to prevent a user with the same name to login twice you can write an Init process that would look like this:

IF NMB_OF_SESSIONS(LoggedInSystemUser) > 1 Then HandleMultipleLoggedInUsers

The HandleMultipleLoggedInUsers process could look like this:

DISPLAY QUESTION 'There is already a logged in user with this name. Do you want to cancel his session and proceed with the login?'
If Question.Reply = 'Yes' Then
LOGOUT LoggedInSystemUser
ELSE
REPORT ERROR 'Login aborted'

The Init process MUST be specified as the initialisation process for the appropriate visual perspective.

The above implementation of the HandleMultipleLoggedInUsers process checks if this is the second login with the same name and if it is it asks the user a question whether to kick out the current user or not. If you just want to disallow login you can REPORT ERROR straight away, but the problem with this implementation is that if the current user went for coffee, noone else will be able to login in the meantime. In our experience the above implementation is the best. But it's up to you. The flexibility is there. NMB_OF_SESSIONS, LOGOUT and REPORT ERROR should be enough.l

hpl123

Support (or anyone using this solution),
I am using the solution and have a problem after the last step of the "HandleMultipleLoggedInUsers" process. After the report error is displayed, the user is forwarded to a login page which I don´t use and where they can´t log on and it looks no good and inconsistent. I am using a custom login page and would like them to be forwareded there instead, is this possible in some way?

Thanks

rocketman

Create a VP (call it for example go_away) make it look and feel like the rest of your app.

Just before the REPORT ERROR rule do a DISPLAY PERSPECTIVE and switch to the GO_away VP

hpl123

Thanks Rocketman, I did just that 🙂.

hpl123

hpl123 wrote
Support (or anyone using this solution),
I am using the solution and have a problem after the last step of the "HandleMultipleLoggedInUsers" process. After the report error is displayed, the user is forwarded to a login page which I don´t use and where they can´t log on and it looks no good and inconsistent. I am using a custom login page and would like them to be forwareded there instead, is this possible in some way?

Thanks

I have found a solution that does this (directs the canceled login attempt to a custom URL). See this post for details:
http://www.awareim.com/forum/viewtopic.php?p=27062#27062

hpl123

aware_support wrote
There is now the NMB_OF_SESSIONS function that can be used to check how many sessions the currently logged in user has. There is also a LOGOUT action that can forcefully logout the current user.

So if you want to prevent a user with the same name to login twice you can write an Init process that would look like this:

IF NMB_OF_SESSIONS(LoggedInSystemUser) > 1 Then HandleMultipleLoggedInUsers

The HandleMultipleLoggedInUsers process could look like this:

DISPLAY QUESTION 'There is already a logged in user with this name. Do you want to cancel his session and proceed with the login?'
If Question.Reply = 'Yes' Then
LOGOUT LoggedInSystemUser
ELSE
REPORT ERROR 'Login aborted'

The Init process MUST be specified as the initialisation process for the appropriate visual perspective.

The above implementation of the HandleMultipleLoggedInUsers process checks if this is the second login with the same name and if it is it asks the user a question whether to kick out the current user or not. If you just want to disallow login you can REPORT ERROR straight away, but the problem with this implementation is that if the current user went for coffee, noone else will be able to login in the meantime. In our experience the above implementation is the best. But it's up to you. The flexibility is there. NMB_OF_SESSIONS, LOGOUT and REPORT ERROR should be enough.l

The solution support detailed doesn´t work fully any longer or rather the LOGOUT action doesn´t work (just hangs the app). You have to use LOGOUT2 for it to work i.e same exact steps, processes etc. but use "LOGOUT2" (only so no LoggedInSystemUser etc.) instead of "LOGOUT LoggedInSystemUser".