Only one login instance of a user

oneflydown · April 8, 2020, 12:50pm

Is there a possibility in discourse, that I can enforce only one login instance of an user, at any given point of time?

Thanks
Oneflydown

david · April 8, 2020, 12:58pm

No, that’s not configurable. There is a hard-coded limit of 60 sessions (although, we never expect anyone to get near that in normal use)

github.com

discourse/discourse/blob/1cc1ff8435114a4f815f3cc0e81218543ddff73b/app/models/user_auth_token.rb#L11


# frozen_string_literal: true
require 'digest/sha1'


class UserAuthToken < ActiveRecord::Base
  belongs_to :user


  ROTATE_TIME = 10.minutes
  # used when token did not arrive at client
  URGENT_ROTATE_TIME = 1.minute


  MAX_SESSION_COUNT = 60


  USER_ACTIONS = ['generate']


  attr_accessor :unhashed_auth_token


  before_destroy do
    UserAuthToken.log(action: 'destroy',
                      user_auth_token_id: self.id,
                      user_id: self.user_id,
                      user_agent: self.user_agent,

It might be possible to override this in a plugin, but I would not recommend it (the UX would be very confusing)

oneflydown · April 8, 2020, 1:27pm

Thanks @david . I will find out a way, as my students are sharing username/password to access subscription content on forum.

pfaffman · April 8, 2020, 2:27pm

You could enforce 2 factor authentication. It works make sharing passwords more trouble.

You could also track ip addresses.