This content has been marked as final. Show 4 replies
A very simple question, but a much more complex problem ;)
In reality this is a very tough nut to crack if you try and solve it programmatically, almost every measure you can come up has a counter-measure, or a potential flaw. If you try and base it on IP address then users can obscure their IP addresses by various methods. If you try and do it based on usage pattern and frequency analysis then you run the risk of locking out the wrong users.
In short, there are only 2 ways I have found to achieve what you need -
1) Client side certificates, whereby an SSL certificate is given to a user to install on their machine, which prevents another user from using the application with the same credentials from another machine.
2) A hardware device (such as an RSA keyfob etc) which generates a point-in-time challenge-response code which is used as part of the user login process (therefore a username/password could be shared, but the 2nd user would not know the correct challenge-response sequence).
I promise you, if you try and solve this programmatically in some other way, you're going down a road paved with problems, whereby you'll either do something that can still be defeated or your users will hate you because you lock out the wrong person from time to time.
Just my thoughts, hopefully others will chime in too.
Author of Pro Application Express: http://tinyurl.com/3gu7cd
REWARDS: Please remember to mark helpful or correct posts on the forum, not just for my answers but for everyone!
Hi, John, thanks for your reply
the problem is not to allow a user login only from trusted IPs/machines, but to allow a user ID to have only one, let me say "active" or "last active" apex session due to some reasons.
Using some techniques, based on PKI si the best way(I belive so), but not for this application or, maybe not for now
What you describe sounds simple:
Log out all older sessions for a user when they log in.
In practice, if you have 2 users using the same login, they will both keep logging back in and logging the other out.
If you could set something up so that any activity on a session will log out/deactivate any newer session for the same user, that might be more effective.
Not sure how you would implement it though.