jamie wrote:
eytanz wrote:
I don't think that can be done in any real way in an HTML-based forum, since the system doesn't know whether you are still logged in or not at a computer at the time you log in to another one. I guess it'd be possible to have a minimum time limit - say, you can't log in twice in five minutes - but you'd be causing more harm than good there.
Simply make the new login session automatically logout the old one
No, that's exactly what's impossible to do, because the server doesn't really know who is logged in. If you log in, it's saved as information in your browser, which will identify you for every action you do. There's no real sense of a "
login session"
except in the mind of the user.
The server does know who logged in over the past few minutes (that's what it tells you on the bottom of the main page), so you could tell the server "
don't accept the same user coming from different IPs within timeframe X"
. But that's pre-emptive blocking, not backwards logging out - if I log in from computer A, I won't be able to log in from computer B for a while, which is sort of the opposite of the behavior you are suggesting.
Note - Schik, feel free to correct me if I'm wrong on any of this.
There's a second, more general point, which is that logging out the old session doesn't really make the user any more secure. It's done by several programs (such as MSN messanger), but it's more of a bookkeeping/privacy measure than a security measure. IM software needs to know where you are because it needs to send you messages there. Sending you messages on every computer you ever logged in from is a waste of bandwidth. Furthermore, you run the risk of sending information to the wrong person, which is a problem since all IM'd messages are private to some extent. Forum messages are by-and-large public, and are pulled by the user rather than pushed by the server, so you can't get someone's private messages unless you actively go out looking for them.
Edit: Actually, come to think of it, there is the minor risk of someone using a public computer, then leaving it, and someone else using the same computer to access that person's account. But that risk is independent of the first person happening to log in from another computer. This is a pretty negligable risk IMO, but if it is to be reduced, the only way to do it is to add a "
public computer, don't save login info beyond browser session"
option at login. Logging out an old session - even if it were possible, which it isn't - would not help in this case since the problem is an insecure login from the same session.
____________________________
I got my avatar back! Yay!
[Last edited by eytanz at 07-10-2005 09:56 AM]