Allow same user to be logged in multiple times #53
Comments
|
In the last commit I just commented out the line which deletes any existing session for the user logging in. Thinking about this further, I think concurrent sessions should always be allowed for Customers, since it would be common for a customer to log in from multiple devices, and we certainly don't want to kick them out of all the other devices on login. For administrators, there might be some use case where the org does not want to allow concurrent sessions for a single user. Alternatively we could have a counter which shows the number of active sessions for that user. When it goes above 1, this could e.g. trigger a warning notice in the admin ui. Needs a bit more research. |
|
Some research on this issue:
In our case it would be quite usual to be want to be logged in from multiple browsers - e.g. laptop & phone. The general consensus is that concurrent logins pose a negligible security risk for general web apps, whereas disallowing it poses significant usability issues. E.g. StackExchange, Gmail and many (most?) large web apps allow concurrent logins without even a notice about it. The argument for keeping track of concurrent logins is that it is a signal of possible account compromise. For e.g. a banking app, this makes more sense. In our case, it is a usual use-case. If a developer wanted to track this anyway, I think the better way to go is to just publish events for login/logout and then allow a plugin to subscribe and track them. |
Currently, a user's session is invalidated if that same user starts a new session (e.g. by logging in on another browser). This is not expected behaviour and a single user should be allowed to log in on multiple clients.
It would perhaps be useful to return some indication of multiple logins for security purposes, and give the most recent session the opportunity to invalidate any other sessions. Research any existing best practices on this.
The text was updated successfully, but these errors were encountered: