Add Concurrent Login Prevention

[lwoschke]

As from my help request in the Discord Server:

Is there a way to prevent concurrent logins? At the time several people can be logged in with the same account and use it at the same time. A recent security audit of one of our sites identified this as a possible threat and it would be great, if there were a way to configure Statamic to terminate the old session when there is a new login to prevent logins from multiple locations or browsers at the same time.

I couldn't find any help on that or any config options to help with that.

[benfurfie]

For further context, the reason this is flagged as a security risk is that if you enable auditing of actions, concurrent users make it impossible to identify which instance of a user did something. For example, if an account is compromised, if the user is not logged out, it makes it impossible to track when a new login occured, and what actions were undertaken during that session.

There are, of course, legitimate reasons to share an account such as an admin account used by an agency, as well as illegitmate ones, such as trying to skirt the one user limit on the free plan.

[jasonvarga]

There's no ability to do that right now (aside from maybe writing an event listener and doing it yourself somehow), but it's a good idea. 👍

[benfurfie]

@jasonvarga – bearing in mind this is most likely to be used in enterprise settings, would it be feasible to require the use of a key/value store like Redis or sqlite to capture the current session cookie value and store it against their user ID. The logic, if prevent concurrent sessions was enabled, could then do something like:

Auth check -> if block concurrent sessions -> get user session ID, and check against key value store to see if the session exists. If not, create they value binding, or potentially store it as part of a json array of data. Real question then becomes whether to block the login if it doesnt match (but that brings up questions around invalidation of sessions), or end session and potentially fire off a notification to the registered email to alert that they have been logged out/require 2FA before session can be started.

Certainly not simple, but it might be feasible within the current tool set.

I suppose this might actually make a good potential addon.

[jackmcdade]

I'm doing this with users in the DB (DB Session Driver) on one of my personal sites. Essentially you just add a line on login to delete any existing session.

DB::table('sessions')->where('user_id', user()->id)->delete();