I observed that two student users can login to moodle from 2 different systems at the same time. Is it a feature or a bug? In that case, two or more people can attend the same exam and cheat. anyway to stop this?
Jack
There has been some discussion about this issue in the past. Try searching for multiple login (and then skip all of the posts that come up with large chunks of code or copy/pasted ldap settings )
Yes, this has been discussed to death but I can't find the right threads to link to. In short -- unfortunately, web applications cannot prevent multiple logins without breaking the whole web app for an important number of users.
Why? Because in real life, internet and lan traffic is pulled together and re-distributed and proxied a lot, using
Which is really ackward. But this isn't different from the problems you face when taking a non-computer-based exam. You will want examiners in the room monitoring. Otherwise, you can't prevent two people from working together at one computer... or piece of paper.
Similarly, when you hand out an assignment to be completed at home, neither paper nor computers can prevent students from getting together in the evening and solving it with good old team work.
Hope that helps! Rather than go without books, paper, blackboards and computers, I think we should erradicate students
Because in real life, internet and lan traffic is pulled together and re-distributed and proxied a lotI get your point... but anyway I can get sure that students can only use computers in a specific IP range, for example only IPs used by my university, and even be sure that no NAT, Proxies or load-balancing gets in my way.
But this isn't different from the problems you face when taking a non-computer-based exam. You will want examiners in the room monitoring. Otherwise, you can't prevent two people from working together at one computer... or piece of paper.But even in this case and even when having examiners in the room where students take the test I cannot be sure that there is noone getting help from another computer somewhere in our building that cannot be "seen" by the examiner.
You can restrict users to a single ip in config.php.
Look in config-dist.php for the line
// If this setting is set to true, then Moodle will track the IP of the
// current user to make sure it hasn't changed during a session. This
// will prevent the possibility of sessions being hijacked via XSS, but it
// may break things for users coming using proxies that change all the time,
// like AOL.
// $CFG->tracksessionip = true;
But even in this case and even when having examiners in the room where students take the test I cannot be sure that there is noone getting help from another computer somewhere in our building that cannot be "seen" by the examiner.
And Moodle cannot control that reliably either. For that kind of control, you want to talk with your network administrator. Ask about MAC addresses, managed switches to ensure MAC addresses match IP addresses, etc.
So it would be nice to have this feature so anyone who need it can turn it on.
The problem is that a lot of people "need" it, but you can only have some kind of control over this if you are in a tightly controlled LAN, with tightly controlled machines (kiosk mode, for instance, you don't want them to exchange notes via IM).
And then you still need examiners to walk around people and ensure they aren't passing bits of paper.
When i started this thread, i was not knowing that it's the start of such a long discussion. Though I'm not a programmer, I thought blocking simultaneous logging in is pretty simple as i it in many php applications.
it's surprising to know that people even think in the lines of allowing simultaneous log ins. Take a scenario-- i want to conduct an online exam for a few people. authentication is based on LDAP-Windows Active Directory. the particpants can give their login name to some friends outside the exam hall and both can login to the quiz and answer same set of questions. Shouldn't this be prevented ? (some may say, set a password for the quiz and give it to students just before the quiz starts. what about they r sms-ing that password to their friend )
what about the following suggestion?-- merge the mdl_user and mdl_sessions table. i.e. add a session key column to the user table. when a user logs in, a session key is intered into the column. if the same user logs in from some other machine, jsut updates the table with new session key which logs out the first one. is this too idiotic? I dont know which files of moodle are updating the sessions table.
Thanks
Jack
it's surprising to know that people even think in the lines of allowing simultaneous log ins.
We don't. The designers of the HTTP protocol made it a stateless protocol. And while we have some means to maintain state (aka session frameworks), the HTTP machinery does take advantage of the statelesness of the protocol.
what about the following suggestion?
Seems reasonable, but it is technically wrong. It will kind-of work for about 5% of the Moodle installs, and even in those cases it will be trivial to workaround. And it will take a lot of work to explain to the remaining 95% of the users why it doesn't work for them
Though I'm not a programmer, I thought blocking simultaneous logging in is pretty simple as i it in many php applications.
Oh, it's marvelously easy to do it wrong. You just have to spend a bit of time reading up on the HTTP protocol and the reasons why it is stateless to see that the server doesn't get much reliable info about the client, ever. And what seems to be many clients, it just one user coming via scattered proxies. And that very busy client is actually 12 users on a Terminal Server, or coming via a NAT box or a proxy.
NAT'ting and proxying are everywhere. You just don't realise because it works so well, and so transparently, that it disappers into the background. And it can only work like this because HTTP is stateless.
There should be a way to add 3 columns in the database, one for login one for the i.p. address and the other for logged out. There is a timestamp that can be put in the logged in column as well as the I.P. address. When a user logs out a time is put in the logged out column.
When a student logs in it makes sure that the logged out column has a timestamp in there, if it does then it allows them to log in, and changes the log in time stamp, as well as the I.P. address and deletes the previous logged out timestamp. If the logged out column is blank, a message appears that says that they are already logged in and doesn't allow them to go any further.
Not sure how to program this in moodle but I have done something like this on another program that I created.
Someone want to give it a try, I may when I get more free time.
Michael
Isn't there a way to have only a single user signed in at one time? I know that Lynda.com allows one user to log-in at a time and regardless of log-out - when a user signs in from a different location to the same account it kicks off the other user and requires them to log in again - which if they do, kicks off the other user. Perhaps something like this will circumvent the issue. Allowing users to log-in from different locations but automatically logging out any other users with the same credentials that are on at the same time?
Why?
If a user wants to sign in twice why shouldn't they? Just about all the bodges to prevent this are liable to be unreliable and prove frustrating for your users.
Some learning institutions are concerned about cheating. I was just making a suggestion to automatically log out other users with the same credentials on the system as a workaround to posting an error that says "Whoa you logged into with a different IP address.." Perhaps IP tracking is important to an admin but without the strange issues it creates for random users that forget to log out.
I've yet to be convinced (and this is after years of this coming up) that preventing multiple logins prevents cheating. Depends how you define cheating of course.
Howard I suspect it is to do with one of the people being signed in not being the person the credentials suggest they are. However you are correct about any bodge being unreliable and frustrating, which is why this fix is a rarity on the web.
Note about the word bodge, in Australia a job can be bodged and it can also be a bodgie job. In the UK a job can be bodged but it is never (normally) described as a bodgie job. English, what a language.
Meanwhile, in the States, I've never heard that word before!
....it means a carefully thought through, well planned and thoroughly tested solution to a problem