Devise limit one session per user at a time

Question

My app is using Rails 3.0.4 and Devise 1.1.7.

I'm looking for a way to prevent users from sharing accounts as the app is a subscription based service. I've been searching for over a week, and I still don't know how to implement a solution. I'm hoping someone has implemented a solution and can point me in the right direction.

Solution (Thank you everyone for your answers and insight!)

In application controller.rb

before_filter :check_concurrent_session  def check_concurrent_session   if is_already_logged_in?     sign_out_and_redirect(current_user)   end end  def is_already_logged_in?   current_user && !(session[:token] == current_user.login_token) end 

In session_controller that overrides Devise Sessions controller:

skip_before_filter :check_concurrent_session  def create   super   set_login_token end  private def set_login_token   token = Devise.friendly_token   session[:token] = token   current_user.login_token = token   current_user.save end 

In migration AddLoginTokenToUsers

def self.up   change_table "users" do |t|     t.string "login_token"   end end  def self.down   change_table "users" do |t|     t.remove "login_token"   end end 

Answer 1

This gem works well: https://github.com/devise-security/devise-security

Add to Gemfile

gem 'devise-security' 

after bundle install

rails generate devise_security:install 

Then run

rails g migration AddSessionLimitableToUsers unique_session_id 

Edit the migration file

class AddSessionLimitableToUsers < ActiveRecord::Migration   def change     add_column :users, :unique_session_id, :string, limit: 20   end end 

Then run

rake db:migrate 

Edit your app/models/user.rb file

class User < ActiveRecord::Base   devise :session_limitable # other devise options   ... rest of file ... end 

Done. Now logging in from another browser will kill any previous sessions. The gem actual notifies the user that he is about to kill a current session before logging in.