4 Replies Latest reply: May 20, 2009 8:02 AM by MickleSh RSS

    Deny multiple authentication for a single user

      Hi, forum
      I'm very new to Apex, so firgive me for, maybe very simple question.
      I have an appication with login page (user/password)

      I want to deny multiple login for a single user ID (from different browsers/machines etc).

      For example I expect the application to work like described:
      User connects the app from machine A, enters his UID, pass and accesses the app.
      then he (or someone else ;-)) connects from machine B with the same UID/pass
      now if user tries to use the app from A, he is redirected to login page

      Can someone provide me some clues how to solve this problem? Is there any internal APEX mechanism?
      Apex 3.1.2, DB: 10.2

      Regards, michael
        • 1. Re: Deny multiple authentication for a single user
          John Edward Scott

          A very simple question, but a much more complex problem ;)

          In reality this is a very tough nut to crack if you try and solve it programmatically, almost every measure you can come up has a counter-measure, or a potential flaw. If you try and base it on IP address then users can obscure their IP addresses by various methods. If you try and do it based on usage pattern and frequency analysis then you run the risk of locking out the wrong users.

          In short, there are only 2 ways I have found to achieve what you need -

          1) Client side certificates, whereby an SSL certificate is given to a user to install on their machine, which prevents another user from using the application with the same credentials from another machine.

          2) A hardware device (such as an RSA keyfob etc) which generates a point-in-time challenge-response code which is used as part of the user login process (therefore a username/password could be shared, but the 2nd user would not know the correct challenge-response sequence).

          I promise you, if you try and solve this programmatically in some other way, you're going down a road paved with problems, whereby you'll either do something that can still be defeated or your users will hate you because you lock out the wrong person from time to time.

          Just my thoughts, hopefully others will chime in too.

          Blog: http://jes.blogs.shellprompt.net
          Work: http://www.apex-evangelists.com
          Author of Pro Application Express: http://tinyurl.com/3gu7cd
          REWARDS: Please remember to mark helpful or correct posts on the forum, not just for my answers but for everyone!
          • 2. Re: Deny multiple authentication for a single user
            Hi, John, thanks for your reply
            the problem is not to allow a user login only from trusted IPs/machines, but to allow a user ID to have only one, let me say "active" or "last active" apex session due to some reasons.

            Using some techniques, based on PKI si the best way(I belive so), but not for this application or, maybe not for now

            best wishes
            • 3. Re: Deny multiple authentication for a single user
              Hi Michael,

              What you describe sounds simple:
              Log out all older sessions for a user when they log in.

              In practice, if you have 2 users using the same login, they will both keep logging back in and logging the other out.

              If you could set something up so that any activity on a session will log out/deactivate any newer session for the same user, that might be more effective.

              Not sure how you would implement it though.


              • 4. Re: Deny multiple authentication for a single user
                Well, think that I can close the question for now.
                Thanks to all for posting your comments.