This discussion is archived
4 Replies Latest reply: May 20, 2009 6:02 AM by MickleSh RSS

Deny multiple authentication for a single user

MickleSh Explorer
Currently Being Moderated
Hi, forum
I'm very new to Apex, so firgive me for, maybe very simple question.
I have an appication with login page (user/password)

I want to deny multiple login for a single user ID (from different browsers/machines etc).

For example I expect the application to work like described:
User connects the app from machine A, enters his UID, pass and accesses the app.
then he (or someone else ;-)) connects from machine B with the same UID/pass
now if user tries to use the app from A, he is redirected to login page

Can someone provide me some clues how to solve this problem? Is there any internal APEX mechanism?
Apex 3.1.2, DB: 10.2

Regards, michael
  • 1. Re: Deny multiple authentication for a single user
    Jes Oracle ACE
    Currently Being Moderated
    Michael,

    A very simple question, but a much more complex problem ;)

    In reality this is a very tough nut to crack if you try and solve it programmatically, almost every measure you can come up has a counter-measure, or a potential flaw. If you try and base it on IP address then users can obscure their IP addresses by various methods. If you try and do it based on usage pattern and frequency analysis then you run the risk of locking out the wrong users.

    In short, there are only 2 ways I have found to achieve what you need -

    1) Client side certificates, whereby an SSL certificate is given to a user to install on their machine, which prevents another user from using the application with the same credentials from another machine.

    2) A hardware device (such as an RSA keyfob etc) which generates a point-in-time challenge-response code which is used as part of the user login process (therefore a username/password could be shared, but the 2nd user would not know the correct challenge-response sequence).

    I promise you, if you try and solve this programmatically in some other way, you're going down a road paved with problems, whereby you'll either do something that can still be defeated or your users will hate you because you lock out the wrong person from time to time.

    Just my thoughts, hopefully others will chime in too.

    John.
    --------------------------------------------
    Blog: http://jes.blogs.shellprompt.net
    Work: http://www.apex-evangelists.com
    Author of Pro Application Express: http://tinyurl.com/3gu7cd
    REWARDS: Please remember to mark helpful or correct posts on the forum, not just for my answers but for everyone!
  • 2. Re: Deny multiple authentication for a single user
    MickleSh Explorer
    Currently Being Moderated
    Hi, John, thanks for your reply
    the problem is not to allow a user login only from trusted IPs/machines, but to allow a user ID to have only one, let me say "active" or "last active" apex session due to some reasons.

    Using some techniques, based on PKI si the best way(I belive so), but not for this application or, maybe not for now

    best wishes
    michael
  • 3. Re: Deny multiple authentication for a single user
    682558 Journeyer
    Currently Being Moderated
    Hi Michael,

    What you describe sounds simple:
    Log out all older sessions for a user when they log in.

    In practice, if you have 2 users using the same login, they will both keep logging back in and logging the other out.

    If you could set something up so that any activity on a session will log out/deactivate any newer session for the same user, that might be more effective.

    Not sure how you would implement it though.

    regards

    Michael
  • 4. Re: Deny multiple authentication for a single user
    MickleSh Explorer
    Currently Being Moderated
    Well, think that I can close the question for now.
    Thanks to all for posting your comments.
    Regards,
    michael

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points