Topic: Prevent same user logged in simultaneously

I wish to prevent that 2 people use the same credentials (login&password) at the same time.

The point is that for any accounting package, it is necessary to be able to trace who did what transactions.

For example, on Pastel. it is not possible that 2 person use the same login & password at the same time. One has to first log out for the other one to be able to log in.

Is there any piece of code to add or variable to set in order to enable this functionality ?

Obviously, it should be possible as FA always knows how many users are connected . So, if 2 users are connected with the same credentials, there is a problem.

After looking in the forum, i did not find the answer. any ideas ?

Re: Prevent same user logged in simultaneously

Why not just give each user an account?

Re: Prevent same user logged in simultaneously

for sure, but I want to avoid having a user pretending that a transaction that he recorded in FA was done by another user. Now, having more than 10 users, it can become quite tempting to use some else credentials when one is not too sure about a transaction.

Obviously, trust is important and if someone wants to do evil he will always find a way, but if at least i could prevent it while they are logged in, it would be a great step for a better security.

Re: Prevent same user logged in simultaneously

But surely they have unique passwords?

Re: Prevent same user logged in simultaneously

I found this problem too.

It's possible for two users to log into FA with the same password.  Yes, users can have unique passwords but security is improved by not allowing simultaneous log in with the same password.
Other accounting software I know does not allow 2 logins at the same time with same password.

Re: Prevent same user logged in simultaneously

If people work on different computers, then there is no reason each one can use its own user.
If people are sharing computers and doesn't lock or switch user, then authorizing only one user to log at the same time won't solve the problem anyway.

I think it's just a question of educating people : they are responsible of their user and what's done under it. If they allow other people to use their account, then they take the responsibility of  it. That's it.

However, adding the IP address in the audit_trail table wouldn't hurt.

/Elax

Re: Prevent same user logged in simultaneously

Logging the IP address does not hurt, but for users in a small office behind a NAT router connecting to a remote server (not at all an unlikely scenario) it does not help either. And in the case of dynamically assigned addresses, the log would need to be matched against the logs from the DHCP server. I'm not sure how many companies would even keep such a log.

As for duplicated sessions, the usual way to handle them is to destroy/invalidate the first when the second is created. That way a user can log on from home even if he left the office computer logged in. (FA does have a session timeout which allows this, as long as the value is not set too high.)

The answer is still to have one account per user. And hold the user responsible for anything done using that account.

Re: Prevent same user logged in simultaneously

If a computer hung when using FA, then the session would become stale in time, but the user can just reboot at once and then login again, otherwise the stale session would lock out any login if based on existing valid sessions being alive.

Hence, keep passwords safe and make and get staff to use separate usernames for audit trail.

Social engineering / hacking (looking for passwords over the user's shoulder as they are being typed) and looking thru CCTV footage should by now be well understood as they have been shown in movies / TV serials quite commonly.

Re: Prevent same user logged in simultaneously

All the points discussed are valid.  However, FA would have better security if it were not possible for multiple logins using the same password.  (I'm not a programmer and have no clue how to make the changes needed to prevent multiple log in using same password)

10 (edited by apmuthu 11/03/2013 03:22:50 am)

Re: Prevent same user logged in simultaneously

Multiple logins using same password can be implemented only when sessions are stored in the database and the date and time, IP and unique browser signature must be stored as well within it to verify.

Otherwise, the mere logging out of all existing sessions for the currently logged in user can be implemented if the end-users are willing to accept getting thrown out of their legitimate first initiated sessions! In this case, just issue a logout to every existing session for the same user and then allow the current request to login as that user. How it is done will need to enable the script to snoop into others sessions while being inside the requester's one. Recreation of a user persistence key may be one way though where it would propagate into the session array.

The moot question would be why should anyone share their password at all and not change it frequently enough to avoid this situation in the first place!

Re: Prevent same user logged in simultaneously

MarkAndrew wrote:

All the points discussed are valid.  However, FA would have better security if it were not possible for multiple logins using the same password.  (I'm not a programmer and have no clue how to make the changes needed to prevent multiple log in using same password)

You keep saying FA would have better security but not really explain why or give a scenario where this feature will improve anything .

As far I understand, your problem is that multiple user use the same account, meaning they are sharing password.
Now, if you telling them to not share password is not enough, do you think your solution will stop them to share password anyway ?

What will probably happen is all of your users will have  a common pool of logins and use the first available (if they work in the same room they'll just shout and ask which logins are used or which are available, if they don't work in the same room, then should have shared the password initially).

What I mean here, is if your users wants to share accounts, because that's the way they work, what ever you do, they'll find a way to carry on sharing user.  If they don't naturally log with their account but feel need to share them, there is probably a reason :
- maybe there is not enough computer per user
- maybe they don't have enough memory to remember their password
- maybe they share computers because for example one is more convenient than other (near the printer, near the packing area etc ...) etc ...

Until you find this reason(s), you won't be able to solve the problem.
They don't share login, just because they can, but because it's better for them and suit their workflow.
Stopping them to do so, won't make change their workflow to what you want, but only annoy them and slow down their  own workflow. So you need to convince them that your workflow is better.
Believe me, I have enough experience in in-house software to know that when users don't use the system as designed for, it's really hard to make them change.  As I said, they usually have a good (or valid) reason for it, and as they know their are not using the system as it should be , they usually lie when you ask them what they do : they answer what they think you want to ear not what they are effectively doing, which makes the problem really hard to track.

Moreover as apmuth said, if the first logged session as the priority, what do you  do when you moved to another computer and didn't logout from the previous one ? (The answer is simple, you ask your workmate is login and password ;-))
Other solution : new session kills all opened session, what happen when you spent 30mn entering an order and when you press the submit button,  you get a nice error message telling you that your session got killed because someone logged using your login ( after all everybody knows everybody password in your company, what should it changes ? especially since FA implements this new killer feature giving "better security").


/Elax

Re: Prevent same user logged in simultaneously

Hi all, I'm facing the same prob.,
Have anyone get a solution to prevent accessing two users with the same password,

Re: Prevent same user logged in simultaneously

Thanks elax, this is excellent explanation.

@MarkAndrew, mustafa et all
As elax clearly stated, this is not FrontAccounting application problem, but problem of security policy as it is implemnted in your company.

Janusz

14 (edited by stefan 04/04/2018 09:13:55 am)

Re: Prevent same user logged in simultaneously

I would add something to what elax wrote.

Just make the account owner responsible for EVERYTHING that happens through his own account. Let him change the password today and from now on make sure everything wrong is on his responsibility/penalty.

This way you will make it worse for him to keep the things as they are.

Re: Prevent same user logged in simultaneously

If we set the code to kick out the current logged in user session when the same username is logged in again it might be okay. If a browser hung during accessing FA, a fresh login can eliminate all old sessions for the same user.