Force logout a user

Hi, I want to force logout a user if he logs in on another machine. I am using CF9 and session scope to track user user logins. what are the possible ways of achieving this. Thanks in advance

Just validate their CGI.remote_host against what is already being used for a valid session...then force a logout of the oldest session if the same user logs on more than once from different IP Addresses Freundliche Grüße / Best regards, Bill Franklin Computer Integrated Mfg. Bayer CropScience LP 8400 Hawthorne Road, Room 2447 Kansas City, MO 64120 Tel: +1 816 242 2148 Fax: +1 816 242 2047 E-mail: bill.franklin@bayer.com Web: http://www.bayercropscience.com Vorstand: Sandra E. Peterson, Vorsitzende   |  Lykele van der Broek, Achim Noack, Rüdiger Scheitza, Michael A. Schulz Vorsitzender des Aufsichtsrats: Werner Baumann Sitz der Gesellschaft: Monheim am Rhein   |   Eintragung: Amtsgericht Düsseldorf, HRB 46985 Hi, I want to force logout a user if he logs in on another machine. I am using CF9 and session scope to track user user logins. what are the possible ways of achieving this. Thanks in advance

Sorry to interject, what if the user uses a different computer with the same IP address? ----- Excess quoted text cut - see Original Post for more -----

On Sat, Jul 7, 2012 at 10:38 AM, Uday Patel <udayjpatel2002@gmail.com>wrote: > I want to force logout a user if he logs in on another machine. I am using > CF9 and session scope to track user user logins. what are the possible ways > of achieving this. Unique CF sessions are tracked using either CF's internal CFID/CFTOKEN or JSessionID as a unique session identifier, depending on how you have configured in in the administrator. These are typically stored as cookies in the visitors browser and are the single best way to determine "unique logins". The visitor's IP address is not a reliable tacking mechanism and should NOT be used for this. The best/simplest way that I can think of to do this is that when the user logs into your website, store that session identifier (CFID/etc) in a database field along with that user's record in the database. Then, on each request, check that user's database record to see if the user's session identifier matches the one in the database. If it does not, log them out. This does require an extra DB hit with each request, and could be replaced by a mechanism that lives in another shared scope like the application scope, but that will require significantly more effort. If your app does not have heavy load, using the database for this should be fine. -Cameron -- Cameron Childress -- p:   678.637.5072 im: cameroncf facebook <http://www.facebook.com/cameroncf>; | twitter<http://twitter.com/cameronc>; | google+ <https://profiles.google.com/u/0/117829379451708140985>;

Surely checking only during your logon script would be smarter and more efficient than checking on EVERY REQUEST?  I mean, how many times during a request does a user logon???? Freundliche Grüße / Best regards, Bill Franklin Computer Integrated Mfg. Bayer CropScience LP 8400 Hawthorne Road, Room 2447 Kansas City, MO 64120 Tel: +1 816 242 2148 Fax: +1 816 242 2047 E-mail: bill.franklin@bayer.com Web: http://www.bayercropscience.com Vorstand: Sandra E. Peterson, Vorsitzende   |  Lykele van der Broek, Achim Noack, Rüdiger Scheitza, Michael A. Schulz Vorsitzender des Aufsichtsrats: Werner Baumann Sitz der Gesellschaft: Monheim am Rhein   |   Eintragung: Amtsgericht Düsseldorf, HRB 46985 On Sat, Jul 7, 2012 at 10:38 AM, Uday Patel <udayjpatel2002@gmail.com>wrote: > I want to force logout a user if he logs in on another machine. I am > using > CF9 and session scope to track user user logins. what are the possible > ways of achieving this. Unique CF sessions are tracked using either CF's internal CFID/CFTOKEN or JSessionID as a unique session identifier, depending on how you have configured in in the administrator. These are typically stored as cookies in the visitors browser and are the single best way to determine "unique logins". The visitor's IP address is not a reliable tacking mechanism and should NOT be used for this. The best/simplest way that I can think of to do this is that when the user logs into your website, store that session identifier (CFID/etc) in a database field along with that user's record in the database. Then, on each request, check that user's database record to see if the user's session identifier matches the one in the database. If it does not, log them out. This does require an extra DB hit with each request, and could be replaced by a mechanism that lives in another shared scope like the application scope, but that will require significantly more effort. If your app does not have heavy load, using the database for this should be fine. -Cameron -- Cameron Childress -- p:   678.637.5072 im: cameroncf facebook <http://www.facebook.com/cameroncf>; | twitter<http://twitter.com/cameronc>; | google+ <https://profiles.google.com/u/0/117829379451708140985>;

On Fri, Jul 6, 2012 at 12:45 PM, Bill Franklin <bill.franklin@bayer.com>wrote: > Surely checking only during your logon script would be smarter and more > efficient than checking on EVERY REQUEST?  I mean, how many times during a > request does a user logon???? If you want to log the old session out while the user is browsing around, you will need to observe every request that user makes. Checking during login will mean you are only able to kill the session during login, which is not what I understand the OP's problem to be. Like I said there are ways around using the DB directly for this, but they will be more time consuming to construct. -Cameron -- Cameron Childress -- p:   678.637.5072 im: cameroncf facebook <http://www.facebook.com/cameroncf>; | twitter<http://twitter.com/cameronc>; | google+ <https://profiles.google.com/u/0/117829379451708140985>;

> Hi, > > I want to force logout a user if he logs in on another machine. I am > using CF9 and session scope to track user user logins. what are the > possible ways of achieving this. > > Thanks in advance Hi, Thank you folks for your responses and suggestions. I spend my weekend playing around with this app on my personal network. This is what I did. maybe this helps someone. If you guys have some tips tricks suggestions, please let me know. I appreciate all you folks taking time to read and post messages. Objective : User should be able to login on only one machine. If he tries to login from another machine, his old session should be terminated. I am using cf sessions for the purpose of tracking user. Solutions provided: check user's IP address : This might not work very well. what is the user is inside a network, or behind a proxy. I know my ISP in canada keeps changing the IP address on my home network. As Cameron mentioned CFID/CFTOKEN and that this is one single best way to determine unique logins. and i agree with this. But what if user clears his cache in that case his browser will get new CFID/CFTOKEN from cf server. Roadblock: While i was playing around with this. I started thinking is there any way that we can get some information about user's machine, like his mac address(since we cannot rely on ip address, cfid's, coz these might change). I googled around with no luck and than came back to my app. But this is one thing that I will explore later on. What I did: I already had logins table in my db wherein i was making entry each time user logs in. I added two more columns here: logout_date and logout_by. These columns will be updated when a user logs out. He can click on logout button or he will be logged out on session end. I also created dead_session_array and put this in application scope. Here I will keep adding all dead sessions. (will explain  this later) Scenario 1: User logs in on machine A. entry is made in logins table but logout_date and logout_by is empty. (If user clicks on logout i update these two columns. If session ends I have some code in onsessionend in application.cfc which will update these two columns. when coding inside onsessionend, make sure you read CF documentations. since onsessionend is a self triggered CF event only applicaiton and session scope is available inside via applicationscope and sessionscope). Now suppose user goes to machine B. CF will provide him with new CFID/CFTOKEN (sessionid). when he tries to login I will check in logins table and show him a message that this user already has a session open on another machine. Provide him with a button (something like 'logout old session and continue logging on this machine') When he clicks on this button I will update the logout_date and logout_by columns in logins table for this user and I will take this sessionid(of machine A which i got form logins table that i recorded when he logged on machine A) and I will add this sessionid in application.dead_session_array. So use succefully logs in on mahine B, I will make new entry in logins table with this new login data. Now when he goes to machine A and tries to do something. I will check if application.dead_session_array contains any sessionid. If it does and the sessionid matches with sessionid of machine A. logout this user simply by clearing his session scope. There was a good link about session scope by Ben Nadel http://www.bennadel.com/blog/1847-Explicitly-Ending-A-ColdFusion-Session.htm. clearing session scope does not mean that user logs out. It depends how you design your application. In my case I simply put useObj in session scope. clearing session scope will remove userObj from session scope. But people have diffferent ideas and different ways of doing this. Scenario 2: User logs in on machine A. I make an entry in logins table with logout_date and logout_by columns empty. Now he clears his cache. clicks on any link on my page. CF will again provide him with new sessionId. This puts me again in the same situation like scenario1 I have a user whose logout_date is empty that means his session is still on. Provide him with a button which when clicked will update the logout_date column. So in a nutshell this is the trick that i used. this way i hit DB only once during login, if there are any invalid or dead session put them in application scope so that we can deal with it later. Notes: sessionid is combination of CFID and CFTOKEN

On Wed, Jul 11, 2012 at 5:40 AM, Uday Patel <udayjpatel2002@gmail.com>wrote: > But what if user clears his cache in that case his browser will get new > CFID/CFTOKEN from cf server. > Clearing cache does not clear cookies, it only clears cache. However, if they do clear their cookies then their session will end, they will be logged out, and they will be forced to login again, at which time you will record their new CFID/CFTOKEN. They will also be logged out of pretty much any and every other site they've logged into. -Cameron -- Cameron Childress -- p:   678.637.5072 im: cameroncf facebook <http://www.facebook.com/cameroncf>; | twitter<http://twitter.com/cameronc>; | google+ <https://profiles.google.com/u/0/117829379451708140985>;

Unless you are dealing only with machines on your LAN, I don't know of any reliable method to obtain the MAC of remote computers...also I believe there is an issue with MAC address re-use, so uniqueness isn't guaranteed.   I doubt you'll find a solution that will work in 100% of the cases you could run across, unless you are dealing only with computers on a LAN. Freundliche Grüße / Best regards, Bill Franklin Computer Integrated Mfg. Bayer CropScience LP 8400 Hawthorne Road, Room 2447 Kansas City, MO 64120 Tel: +1 816 242 2148 Fax: +1 816 242 2047 E-mail: bill.franklin@bayer.com Web: http://www.bayercropscience.com Vorstand: Sandra E. Peterson, Vorsitzende   |  Lykele van der Broek, Achim Noack, Rüdiger Scheitza, Michael A. Schulz Vorsitzender des Aufsichtsrats: Werner Baumann Sitz der Gesellschaft: Monheim am Rhein   |   Eintragung: Amtsgericht Düsseldorf, HRB 46985 > Hi, > > I want to force logout a user if he logs in on another machine. I am > using CF9 and session scope to track user user logins. what are the > possible ways of achieving this. > > Thanks in advance Hi, Thank you folks for your responses and suggestions. I spend my weekend playing around with this app on my personal network. This is what I did. maybe this helps someone. If you guys have some tips tricks suggestions, please let me know. I appreciate all you folks taking time to read and post messages. Objective : User should be able to login on only one machine. If he tries to login from another machine, his old session should be terminated. I am using cf sessions for the purpose of tracking user. Solutions provided: check user's IP address : This might not work very well. what is the user is inside a network, or behind a proxy. I know my ISP in canada keeps changing the IP address on my home network. As Cameron mentioned CFID/CFTOKEN and that this is one single best way to determine unique logins. and i agree with this. But what if user clears his cache in that case his browser will get new CFID/CFTOKEN from cf server. Roadblock: While i was playing around with this. I started thinking is there any way that we can get some information about user's machine, like his mac address(since we cannot rely on ip address, cfid's, coz these might change). I googled around with no luck and than came back to my app. But this is one thing that I will explore later on. What I did: I already had logins table in my db wherein i was making entry each time user logs in. I added two more columns here: logout_date and logout_by. These columns will be updated when a user logs out. He can click on logout button or he will be logged out on session end. I also created dead_session_array and put this in application scope. Here I will keep adding all dead sessions. (will explain  this later) Scenario 1: User logs in on machine A. entry is made in logins table but logout_date and logout_by is empty. (If user clicks on logout i update these two columns. If session ends I have some code in onsessionend in application.cfc which will update these two columns. when coding inside onsessionend, make sure you read CF documentations. since onsessionend is a self triggered CF event only applicaiton and session scope is available inside via applicationscope and sessionscope). Now suppose user goes to machine B. CF will provide him with new CFID/CFTOKEN (sessionid). when he tries to login I will check in logins table and show him a message that this user already has a session open on another machine. Provide him with a button (something like 'logout old session and continue logging on this machine') When he clicks on this button I will update the logout_date and logout_by columns in logins table for this user and I will take this sessionid(of machine A which i got form logins table that i recorded when he logged on machine A) and I will add this sessionid in application.dead_session_array. So use succefully logs in on mahine B, I will make new entry in logins table with this new login data. Now when he goes to machine A and tries to do something. I will check if application.dead_session_array contains any sessionid. If it does and the sessionid matches with sessionid of machine A. logout this user simply by clearing his session scope. There was a good link about session scope by Ben Nadel http://www.bennadel.com/blog/1847-Explicitly-Ending-A-ColdFusion-Session.htm. clearing session scope does not mean that user logs out. It depends how you design your application. In my case I simply put useObj in session scope. clearing session scope will remove userObj from session scope. But people have diffferent ideas and different ways of doing this. Scenario 2: User logs in on machine A. I make an entry in logins table with logout_date and logout_by columns empty. Now he clears his cache. clicks on any link on my page. CF will again provide him with new sessionId. This puts me again in the same situation like scenario1 I have a user whose logout_date is empty that means his session is still on. Provide him with a button which when clicked will update the logout_date column. So in a nutshell this is the trick that i used. this way i hit DB only once during login, if there are any invalid or dead session put them in application scope so that we can deal with it later. Notes: sessionid is combination of CFID and CFTOKEN

MAC addresses, like IP addresses, can easily be spoofed, so using them as an identifier is a bad idea anyway. On Tue, Jul 10, 2012 at 10:10 AM, Bill Franklin <bill.franklin@bayer.com>wrote: > > Unless you are dealing only with machines on your LAN, I don't know of any > reliable method to obtain the MAC of remote computers...also I believe > there is an issue with MAC address re-use, so uniqueness isn't guaranteed. > >

Uday, Can you expand on the reason for the single machine requirement? Folks here may be able to provide an alternate direction or solution if we understand your reason for this restriction. Regards, Byron Mann Lead Engineer and Architect Hostmysite.com On Jul 6, 2012 10:41 AM, "Uday Patel" <udayjpatel2002@gmail.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

>Uday, > >Can you expand on the reason for the single machine requirement? > >Folks here may be able to provide an alternate direction or solution if we >understand your reason for this restriction. > Hi Byron, Gathering some information about users machine was a thought that came in my mind while i was implementing this solution. But this was not my purpose. My aim was to have a user logged in on ONLY one machine at any given point. Thanks & Regards, Uday lead coldfusion developer

Hi Uday, the CFID/CFTOKEN (or JSESSIONID) should indeed do the trick : when a user logs in to your site, you update a certain field in DB with CFID/CFTOKEN, and store it into a session user structure (that you certainly already have for the userid, name or something equivalent). When the same user logs on on a different machine (or browser but that has the same effect), you update this field again (which is the same field because it's the same user). You now just have to perform a check on every request (onRequestStart method seems perfect for this) to see if field from DB matches the value defined in the user session struct. If not, onSessionEnd() etc. ----- Excess quoted text cut - see Original Post for more -----

This is pretty common. For example applications that handle real time stock or commodity quotes have users bound by agreements that prohibit a single user name from having more than one active session. We handle this by using an application array of Users. When a user logs in we automatically check this array to see if there's a previous record. If there is we remove that session (logging out the "other guy") and allow the new login to connect. Mark Kruger - CFG CF Webtools www.cfwebtools.com www.coldfusionmuse.com O: 402.408.3733 x105 E: mkruger@cfwebtools.com Skype: markakruger Uday, Can you expand on the reason for the single machine requirement? Folks here may be able to provide an alternate direction or solution if we understand your reason for this restriction. Regards, Byron Mann Lead Engineer and Architect Hostmysite.com On Jul 6, 2012 10:41 AM, "Uday Patel" <udayjpatel2002@gmail.com> wrote: > > Hi, > > I want to force logout a user if he logs in on another machine. I am using > CF9 and session scope to track user user logins. what are the possible ways > of achieving this. > > Thanks in advance > > >