14 Replies Latest reply on Jan 26, 2010 2:31 PM by mrvodka

    Preventing multiple sessions per user

    deltatango

      Title

      Preventing multiple sessions per user

      Post

      I need to modify an existing database as I have discovered that individuals are sharing passwords. This wreaks havoc as multiple people log on with the same username and then no one knows who really did what in the audit trail.

       

      I'm wondering how to lock FM down to 1 session per user.

       

      Here is what I have come up with:

       

      Set a script to run at login that queries a table called "sessions", for example, which holds the field "username". If the username queried brings up a record, show them a warning and close the file. If it doesn't, create a record with the current user. When the user logs out, delete their session record.

       

      The only time I'd see a user getting locked out is if there is a power failure and the file doesn't shut properly and so the session record is not deleted. But then I'd probably be called to get the power on again so I could delete the sessions table then. :)

       

      ANY OTHER SUGGESTIONS ARE GRATEFULLY APPRECIATED. 

        • 1. Re: Preventing multiple sessions per user
          Steve Wright
            

          I would probably do something similar, possibly with adding a timestamp to the sessions table, which updates using an ontimer script trigger.

          If the timestamp was x minutes old, then its possible that  something is wrong, in which case you could allow the log in to proceed or at least give an option to clear the sessions.

           

          One of the worst things you could do is cause a lock out, requiring them to call you every 30 minutes to get back into the solution

           

          Obviously, im thinking out loud here...  Ive not really delved into to this, altough I have been thinking about a similar thing.

          • 2. Re: Preventing multiple sessions per user
            philmodjunk
              

            I would use the Account name not the user name. User names are specified in edit Preferences and Account names are specified in Accounts and Privileges.

             

            Filemaker confuses the issue by automatically entering a computer's user name into the account name box when you first attempt to access a password protected file.

            • 3. Re: Preventing multiple sessions per user
              deltatango
                

              Phil,

               

              The problem with that is users don't like to put their User names in the preferences dialog.

               

              They hate having to remove their user name and put their account name so most of them have figured out how to go in and change it to their account name by default.

               

              ---------- 

               

              Sw,

               

               I did have a timestamp field but wasn't really using it for much. I modified my script so that upon login, if no record found with their account name (meaning a user already logged in with that name), it generates the session record (I use the record ID in the session table as the session ID) and then store it as a global var called $$sessionID. When the file is closed (triggering the close script), I query the session var and delete the record from the session table.

               

              I changed that from querying the username to querying for the sessionID because since the close script is triggered whenever the file is closed, a user who tried to log in at a second computer would delete the first user's session record when kicked out of the file. No good.

               

              Now, to implement your suggestion about the timestamp check, the only thing would be how to differentiate between reopening by a user and reopening by a foreign user. Again, I am leery of the username as a check for the computer ID........

              • 4. Re: Preventing multiple sessions per user
                MikeyG79
                   What about having a record for each user with a field to flag if they are logged in or not. Then you just change the fllag, not create/delete records.
                • 5. Re: Preventing multiple sessions per user
                  Steve Wright
                    

                   

                  In theory... here is what I would be trying 

                   

                  Add a new table > Sessions

                  Add fileds for >

                  User

                  NIC

                  timestamp

                   

                  Add a new global field to your database to record the current user (Global_current_user_field in my example)

                  Add a relationship from the Global_current_user_field to the sessions table based on  = User 

                   

                  // The reason for a global field, is to make the relationship work, so you dont have to bounce off to another layout to update the sessions table. 

                   

                   

                  When logging in :

                   

                  Set Field [ Global_current_user_field : "" ]  

                  Goto Sessions Table

                  Perform a find for  User "=="& Get ( AccountName )

                   

                  If [ Get (FoundCount) = 0 ]

                    // No user exists in session table 

                      Create Record

                      Set Field [ Global_current_user_field : Get ( AccountName ) ]  

                   

                  Else If [ Get ( SystemNICAddress ) = NIC )

                    // The same user is logging back in on the same system  ALLOW LOGIN

                    Set Field [ Global_current_user_field : Get ( AccountName ) ] 

                    Set Field [ timestamp : Get(CurrentTimeStamp) ] 

                   

                   

                  Else if [ timestamp > Get ( CurrentTimeStamp ) - 360 and NIC <> Get ( SystemNICAddress )]  // 360 is 6 mins

                  // a different computer is logging in whilst the session is active

                      Close File

                   

                  Else 

                  // Something is wrong with the session

                  Show Dialog : Session Error - log in anyway ?

                   ...

                  End If

                   

                   

                   

                   

                  Once logged in, the ontimer script would run every 5 mins :

                  SetField [ SessionTableCurrentUser::timstamp ; timestamp ]

                   

                  On log out, simply clear the timstamp and NIC from the table or delete the record.

                   

                   

                  Bear in mind, this is rough, ive not used proper calculations or even formatting,

                  Ive not tried it atall.  Its just off the top of my head   (waiting for an import to finish on my system)

                   

                  Theres also things which I probably have not considered.. but its a starting point

                  • 6. Re: Preventing multiple sessions per user
                    philmodjunk
                      

                    deltatango,

                     

                    "They hate having to remove their user name and put their account name so most of them have figured out how to go in and change it to their account name by default."

                     

                    Which is exactly why you want to track the account name (get ( accountname) ) not the user name (get (Username) ).

                     

                    The account name will be consistent for a given password regardless of which computer was used to log in. User names don't tell you which password was used. They tell you more about which computer is in use instead of which password. In your case that may be the same thing most of the time, but there's no gaurantee that will be the case 100% of the time.

                    • 7. Re: Preventing multiple sessions per user
                      deltatango
                        

                      Phil, we had a miscommunication on my part - from the beginning I meant account name not user name.

                       

                      SW, the problem is I have terminal server users to NIC won't work.

                       

                       

                      • 8. Re: Preventing multiple sessions per user
                        Steve Wright
                          

                        Ah ok.. Im afraid ive never used terminal server, so I guess somebody else will have to chime in.

                        Can't you use Get ( SystemIPAddress ) instead perhaps?

                         

                        • 9. Re: Preventing multiple sessions per user
                          deltatango
                            

                          That will give you the IP address of the terminal server. So 10 users logged in will all have the terminal server's ip address.

                           

                          It works for my 5 local users but not the other 15 terminal server users

                           

                          :( 

                          • 10. Re: Preventing multiple sessions per user
                            ninja
                              

                            Some great ideas flying here...

                             

                            SW put out a rough approach including NIC...which was great if it worked, but the point seems to be that you don't one one account logged in more than once.  While NIC or IP address would be a nice adder, it doesn't seem necessary to achieve the goal...it was an extra benefit.

                             

                            The rest of SW's approach is still valid, is it not?  Check to see if that account is still logged in...if so show a custom dialog saying "That account is already logged in" and shut down when they click OK.

                             

                            You don't want them sharing passwords and accounts...who can blame you.  Sharing a password after you install the login status check may end up with them getting booted when trying to log in...the norm should change to protecting their passwords and being reluctant to share...{in a perfect world}.  Make life easy when they don't share passwords, and inconvenient when they do.

                             

                            While the nicety of telling them WHERE the account is logged in from may not be workable with the terminal server, the account lockout still appears to be possible.

                             

                            Just thinking out loud...

                            • 11. Re: Preventing multiple sessions per user
                              Steve Wright
                                

                              Thats true... The idea of the NIC or IP address was purely to save the user from inconvenience in case of an error and allow them to immediatly log back in.  You could change the times for instance, from 5 mins to 2 mins, at least that way, if something went wrong, they can re-login after two minutes.

                               

                              Meanwhile, if everything is ok, the timestamp will be updating every minute for instance, so any attempt to access it will warn and close.

                               

                              Ive not used ontimer scripts yet, but I assume they are put in a que if a current script is running.

                              So you would have to consider this.  For instance, a user is running a script which takes 10 minutes... their timestamp will not get updated for those 10 minutes.

                               

                              If somebody tries to log in using the same details during that time, they will be granted access. 

                              Of course, 80% of the time it will deny access, so they will soon become acustomed to not sharing passwords.

                               

                              In the above scenario, you could go as far as updating the time stamp and setting the time + 10 minutes at the start of any long running scripts but I think that would be more hassle than its worth.

                               

                              The login part of the script would end up being :

                               

                               

                              Set Field [ Global_current_user_field : "" ]  

                              Goto Sessions Table

                              Perform a find for  User "=="& Get ( AccountName )

                               

                              If [ Get (FoundCount) = 0 ]

                                // No user exists in session table 

                                  Create Record

                                  Set Field [ Global_current_user_field : Get ( AccountName ) ]  

                                  Set Field [ timestamp : Get(CurrentTimeStamp) ] 

                               

                              Else if [ timestamp > Get ( CurrentTimeStamp ) - 360]  // 360 is 6 mins

                              // the same user is trying to log in whilst the time stamp within a valid range of 6 minutes

                                    Warn and Close File

                               

                              Else if [ timestamp < Get ( CurrentTimeStamp ) - 360]  // 360 is 6 mins

                              // the session has expired Allow Login

                                  Set Field [ Global_current_user_field : Get ( AccountName ) ]  

                                  Set Field [ timestamp : Get(CurrentTimeStamp) ] 

                               

                              Else 

                              // Something is wrong with the session

                              Show Dialog : Session Error - log in anyway ?

                               ...

                              End If

                               

                              Give or take some tinkering with the times..

                              • 12. Re: Preventing multiple sessions per user
                                mrvodka
                                  

                                Deltatango.

                                 

                                Are your users on Windows or Mac?

                                • 14. Re: Preventing multiple sessions per user
                                  mrvodka
                                     But they are using terminal services correct so they are on Windows then I am going to assume. Why not use external authentication against your server and have each users' account open with a shortcut. You may be able to create a single sign on here. I dont know enough about your network setup but it would solve the issue with users changing user names and passwords, unless they want to give up their network password...