User Authentication in Django

Question

is there any way of making sure that, one user is logged in only once?

I would like to avoid two different persons logging into the system with the same login/password.

I guess I could do it myself by checking in the django_session table before logging in the user, but I rather prefer using the framework, if there is already such functionality.

Answer 1

A site I did last year was concerned that usernames/passwords might be posted to a forum. I dealt with this by adding a model and a check to the login view that looked at how many unique IPs the name had been used from in the last X hours. I gave the site admins two values in settings.py to adjust the number of hours and the number of unique IPs. If a name was being "overused" it was blocked for logins from new IPs until enough time had passed to fall below the threshold.

Much to their surprise, they have had only one name trigger the blocking in the last year and that turned out to be the company president who was on a business trip and kept logging in from new locations.

Answer 2

Logged in twice is ambiguous over HTTP. There's no "disconnecting" signal that's sent. You can frustrate people if you're not careful.

If I shut down my browser and drop the cookies -- accidentally -- I might be prevented from logging in again.

How would the server know it was me trying to re-login vs. me trying to login twice?

You can try things like checking the IP address. And what if the accidental disconnect was my router crashing, releasing my DHCP lease? Now I'm trying to re-login, but I have a new address and no established cookie. I'm not trying to create a second session, I'm just trying to get back on after my current session got disconnected.

the point is that there's no well-established rule for "single session" that can be installed in a framework. You have to make up a rule appropriate to your application and figure out how to enforce it.