In Silverstripe 4 is there an easy way to restrict users to only be logged in on one device at a time?
e.g. if they log in on a 2nd device, they get logged out on the first device?
I’ve tried setting RememberLoginHash force_single_token to true, but this only invalidates the remember me setting, so they stay logged in on other devices, until they close their browser to end the Session.
So is there a way to instantly invalidate other sessions too?
Maybe take a look at the session manager:
That has some of the functionality you’re after, and in theory you should be able to hook into some of that to invalidate user sessions after login.
Thanks! I did come across this module but thought it was a little overkill for my needs. However, if there isn’t any existing config option that I’m missing, I’ll see if I can make use of it to do what I want.
This works a treat, thanks @Tim . I installed the session manager module, and created an extension to remove all other sessions for that user whenever a new one is created:
<?php
namespace PurpleSpider\MySite;
use SilverStripe\ORM\DataExtension;
class LoginSessionExtension extends DataExtension {
public function onBeforeWrite()
{
// Delete any pre-existing sessions before creating a new one.
// This ensures user can only be logged in on one device at a time.
if (!$this->owner->isInDb()) {
$othersessions = $this->owner->Member()->LoginSessions();
foreach($othersessions as $session) {
$session->delete();
}
}
parent::onBeforeWrite();
}
}