Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Express.js + Passport.js : How to restrict multiple login by the same user?

Tags:

express

session

passport.js

Passport by default allows the same user to login from multiple browsers and have unique sessions created. How can I configure it to destroy the first session when the user tries to create a second session?

Currently I'm using the 'Sessions' model to add the username to the record and upon subsequent login check by username if the sessions exists. But this increases traffic to the db. I'm thinking express must be doing it already or made to, keep the 'logged in users' information in memory so that the process can be simplified. I'd be thankful for ideas around how to achieve tweak with express for this purpose or any other workaround/suggestion. Much thanks!

like image 781
vivekanon Avatar asked Mar 19 '15 12:03

vivekanon

2 Answers

I saw that at least 4 users upvote this question, so I decided to create passport-strategy for that. The new strategy called passport-one-session-per-user. It's open source strategy you can access here: https://github.com/AminaG/passport-one-session-per-user

How to use it? add it right after session. For example:

app.use(passport.session())
var passportOneSessionPerUser=require('passport-one-session-per-user')
passport.use(new passportOneSessionPerUser())
app.use(passport.authenticate('passport-one-session-per-user'))

Not need for settings, or configuration.

How it is works?

The strategy, created an array that contain serializaed user objects, and sessionID.

Every time user logged in, the strategy check if the user already logged in. If so, it's flag the other session. The next time the user in the other session make a request, the strategy see the flag, and log the user out.

like image 95
Aminadav Glickshtein Avatar answered Sep 23 '22 08:09

Aminadav Glickshtein

I'm thinking express must be doing it already or made to, keep the 'logged in users' information in memory so that the process can be simplified.

I believe the session model loggs the user in, and saves only that logged-in-ness in the session cookie. The server itself has no clue about who is logged in, but just checks this state in the (signed) session cookie provided by the browser.

You can write your own Passport.js strategy to handle it differently.

like image 24
geon Avatar answered Sep 24 '22 08:09

geon
Sign in to Comment

Related questions

Redirect to specific page after session expires (MVC4)
Tomcat sessions expiring unexpectedly
Session data not preserved after redirection
Using session_start twice [duplicate]
How to display session data on view template in Laravel 5
PHP: how to detect if a session has expired automatically?
Maintain sessions in Node.js
Sessions in Yii
How I can set a session in codeigniter 3 database?
What alternate session managers are available for Emacs?
Correct use of the NHibernate Unit Of Work pattern and Ninject
How do you programmatically end a session in asp.net when Session.Abandon() doesn't work?
Can I use array_push on a SESSION array in php?
asp.net session state mode "SQLServer"
How can you check if a PHP session exists?
PHP Session not Saving
Troubleshooting "Warning: session_start(): Cannot send session cache limiter - headers already sent"
Read session value with Javascript
Unable to deserialize Spring Session Scoped bean
session codeigniter localhost

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!