I observed that two student users can login to moodle from 2 different systems at the same time. Is it a feature or a bug? 
In that case, two or more people can attend the same exam and cheat. anyway to stop this?
Jack
any clue, plz?
Woh. Serious problem. A system check to make sure that a UID is mapped to AN IP address... I work in an area where academic honesty is a non-sequitor so this presents major problems if it gets out among my users. I hope my students haven't figured out that the same person can be logged in twice on different machines... HTTPS as the work around/solution? I often have multiple browswer windows open in moodle and I encourage my student to do the same but clearly a check is needed to make sure multiple instances of the login is on the same machine/IP.
This could be a major marketing flaw for Moodle as well. Schools/Universities might have trouble embracing Moodle for testing administration if Moodle can't gaurantee only one person can be taking a test at one time...
Dennis
This could be a major marketing flaw for Moodle as well. Schools/Universities might have trouble embracing Moodle for testing administration if Moodle can't gaurantee only one person can be taking a test at one time...
Dennis
In reply to Dennis Daniels
Re: Two users can log in from two machines at same time!
by Jan Dierckx -
There has been some discussion about this issue in the past. Try searching for multiple login (and then skip all of the posts that come up with large chunks of code or copy/pasted ldap settings )
In reply to Dennis Daniels
Re: Two users can log in from two machines at same time!
by Martín Langhoff -
Yes, this has been discussed to death but I can't find the right threads to link to. In short -- unfortunately, web applications cannot prevent multiple logins without breaking the whole web app for an important number of users.
Why? Because in real life, internet and lan traffic is pulled together and re-distributed and proxied a lot, using
- NAT - Network address translation. Many users appear to come from the same IP address.
- Proxies - again users appear to come from a single machine
- Load-balanced distributed proxies - a single user appears to come from many different IP addresses.
Which is really ackward. But this isn't different from the problems you face when taking a non-computer-based exam. You will want examiners in the room monitoring. Otherwise, you can't prevent two people from working together at one computer... or piece of paper.
Similarly, when you hand out an assignment to be completed at home, neither paper nor computers can prevent students from getting together in the evening and solving it with good old team work.
Hope that helps! Rather than go without books, paper, blackboards and computers, I think we should erradicate students
Hey Martin
Can I add bosses to that too
H
I think we should erradicate students 
Can I add bosses to that too
H
In reply to Martín Langhoff
Re: Two users can log in from two machines at same time!
by Dennis Daniels -
Even HTTPS? Wouldn't that be the fix, at least, for multiple IP addresses on the same login at the same time?
I get around cheating on quizzes by pulling from largish db of questions and have all quiz questions pulled randomly displayed in test...
dgd
I get around cheating on quizzes by pulling from largish db of questions and have all quiz questions pulled randomly displayed in test...
dgd
In reply to Dennis Daniels
Re: Two users can log in from two machines at same time!
by Martín Langhoff -
No, HTTPS doesn't fix it 
In reply to Martín Langhoff
Re: Two users can log in from two machines at same time!
by Felix Zimmerbeutel -
Hi!
So it would be nice to have this feature so anyone who need it can turn it on.
Because in real life, internet and lan traffic is pulled together and re-distributed and proxied a lotI get your point... but anyway I can get sure that students can only use computers in a specific IP range, for example only IPs used by my university, and even be sure that no NAT, Proxies or load-balancing gets in my way.
But this isn't different from the problems you face when taking a non-computer-based exam. You will want examiners in the room monitoring. Otherwise, you can't prevent two people from working together at one computer... or piece of paper.But even in this case and even when having examiners in the room where students take the test I cannot be sure that there is noone getting help from another computer somewhere in our building that cannot be "seen" by the examiner.
So it would be nice to have this feature so anyone who need it can turn it on.
In reply to Felix Zimmerbeutel
Re: Two users can log in from two machines at same time!
by mark white -
You can restrict users to a single ip in config.php.
Look in config-dist.php for the line
// If this setting is set to true, then Moodle will track the IP of the
// current user to make sure it hasn't changed during a session. This
// will prevent the possibility of sessions being hijacked via XSS, but it
// may break things for users coming using proxies that change all the time,
// like AOL.
// $CFG->tracksessionip = true;
In reply to mark white
Re: Two users can log in from two machines at same time!
by Martín Langhoff -
$CFG->tracksessionip does something else.
It restricts a single session from changing IP, and this is mostly a debugging tool for a strange problem that we think is a PHP bug. It does not stop a single user from having more than one session.
It restricts a single session from changing IP, and this is mostly a debugging tool for a strange problem that we think is a PHP bug. It does not stop a single user from having more than one session.
In reply to Felix Zimmerbeutel
Re: Two users can log in from two machines at same time!
by Ray Lawrence -
But even in this case and even when having examiners in the room where
students take the test I cannot be sure that there is noone getting
help from another computer somewhere in our building that cannot be
"seen" by the examiner.
Would it not help to set a password in the "Require password" field in Quiz settings to counteract this? The unseen person would not then be able to enter the quiz - provided one ensures that candidates are not able to communicated the password.
Would it not help to set a password in the "Require password" field in Quiz settings to counteract this? The unseen person would not then be able to enter the quiz - provided one ensures that candidates are not able to communicated the password.
In reply to Felix Zimmerbeutel
Re: Two users can log in from two machines at same time!
by Petr Skoda -
The problem with these features is that once it is in main CVS, we have to support it.
$CFG->customscripts should help developers a lot with customizations like this one.
skodak
$CFG->customscripts should help developers a lot with customizations like this one.
skodak
In reply to Felix Zimmerbeutel
Re: Two users can log in from two machines at same time!
by Martín Langhoff -
But even in this case and even when having examiners in the room where students take the test I cannot be sure that there is noone getting help from another computer somewhere in our building that cannot be "seen" by the examiner.
And Moodle cannot control that reliably either. For that kind of control, you want to talk with your network administrator. Ask about MAC addresses, managed switches to ensure MAC addresses match IP addresses, etc.
So it would be nice to have this feature so anyone who need it can turn it on.
The problem is that a lot of people "need" it, but you can only have some kind of control over this if you are in a tightly controlled LAN, with tightly controlled machines (kiosk mode, for instance, you don't want them to exchange notes via IM).
And then you still need examiners to walk around people and ensure they aren't passing bits of paper.
could code not be written that once a user is logged on they can not log in again until after they log out??? i know this causes a world of problems because most people dont follow procedure and actually log out... but it would prevent the problem of people logging the same name on twice. Show those pesky non-procedure following people...
I mean they did it with AOL it always annoyed the crap out of me when i was at my buddy's house and tried to get on and some one else was on at my house with there screen name so it wouldn't let me on.
CSW3
I mean they did it with AOL it always annoyed the crap out of me when i was at my buddy's house and tried to get on and some one else was on at my house with there screen name so it wouldn't let me on.
CSW3
When i started this thread, i was not knowing that it's the start of such a long discussion. Though I'm not a programmer, I thought blocking simultaneous logging in is pretty simple as i it in many php applications.
it's surprising to know that people even think in the lines of allowing simultaneous log ins. Take a scenario-- i want to conduct an online exam for a few people. authentication is based on LDAP-Windows Active Directory. the particpants can give their login name to some friends outside the exam hall and both can login to the quiz and answer same set of questions. Shouldn't this be prevented ? (some may say, set a password for the quiz and give it to students just before the quiz starts. what about they r sms-ing that password to their friend )
what about the following suggestion?-- merge the mdl_user and mdl_sessions table. i.e. add a session key column to the user table. when a user logs in, a session key is intered into the column. if the same user logs in from some other machine, jsut updates the table with new session key which logs out the first one. is this too idiotic? I dont know which files of moodle are updating the sessions table.
Thanks
Jack
LDAP-Windows Active Directory provides an option to prevent multiple logins.
Hi,
Jack commented:
the particpants can give their login name to some friends outside the exam hall and both can login to the quiz and answer same set of questions. Shouldn't this be prevented ? (some may say, set a password for the quiz and give it to students just before the quiz starts. what about they r sms-ing that password to their friend
)
I'm not a programmer either, but this seems to be problematic to solve using programming means. If the environment in which candidates are taking examinations is one where they have the opportunity to send sms messages then (IMO) the issue is with the invigilation rather than Moodle (or any other electronic or paper means of delivering the test).
Jack commented:
the particpants can give their login name to some friends outside the exam hall and both can login to the quiz and answer same set of questions. Shouldn't this be prevented ? (some may say, set a password for the quiz and give it to students just before the quiz starts. what about they r sms-ing that password to their friend
)I'm not a programmer either, but this seems to be problematic to solve using programming means. If the environment in which candidates are taking examinations is one where they have the opportunity to send sms messages then (IMO) the issue is with the invigilation rather than Moodle (or any other electronic or paper means of delivering the test).
In reply to Ray Lawrence
Re: Two users can log in from two machines at same time!
by Charlie Wilson -
I"m a programmer with out the time to figure our php right now, so i personally couldn't do it, but... A lot of people dont understand what it take them three sentences to describe can take thousands of lines of code and HOURSSSSSS to create in a program. Just something to keep in mind.
In reply to Jack Eapen
Re: Two users can log in from two machines at same time!
by Martín Langhoff -
it's surprising to know that people even think in the lines of allowing simultaneous log ins.
We don't. The designers of the HTTP protocol made it a stateless protocol. And while we have some means to maintain state (aka session frameworks), the HTTP machinery does take advantage of the statelesness of the protocol.
what about the following suggestion?
Seems reasonable, but it is technically wrong. It will kind-of work for about 5% of the Moodle installs, and even in those cases it will be trivial to workaround. And it will take a lot of work to explain to the remaining 95% of the users why it doesn't work for them
Though I'm not a programmer, I thought blocking simultaneous logging in is pretty simple as i it in many php applications.
Oh, it's marvelously easy to do it wrong. You just have to spend a bit of time reading up on the HTTP protocol and the reasons why it is stateless to see that the server doesn't get much reliable info about the client, ever. And what seems to be many clients, it just one user coming via scattered proxies. And that very busy client is actually 12 users on a Terminal Server, or coming via a NAT box or a proxy.
NAT'ting and proxying are everywhere. You just don't realise because it works so well, and so transparently, that it disappers into the background. And it can only work like this because HTTP is stateless.
In reply to Jack Eapen
Re: Two users can log in from two machines at same time!
by Samuli Karevaara -
"...particpants can give their login name to some friends outside the exam
hall and both can login to the quiz
and answer same set of questions. Shouldn't this be prevented ? ...set a password for the quiz and give it to students just
before the quiz starts. what about they r sms-ing that password to
their friend"
The use of phones and messaging should be disallowed during the exams for other reasons also. And if they are using the computers to communicate during the exam, they they can quite easily copypaste the questions to the other guy, who is not logged in at all. He then also googles for the answers and IM's them back? Thus, messaging via the net should be prevented, inside and outside of Moodle.
The "prevent simultaneous logins" feature might also have annoying side-effects, such as that they forget to log out. Then logging in again from another machine / with another IP says "you are already logged in". Then they have to wait for the other session to time out etc.
The use of phones and messaging should be disallowed during the exams for other reasons also. And if they are using the computers to communicate during the exam, they they can quite easily copypaste the questions to the other guy, who is not logged in at all. He then also googles for the answers and IM's them back? Thus, messaging via the net should be prevented, inside and outside of Moodle.
The "prevent simultaneous logins" feature might also have annoying side-effects, such as that they forget to log out. Then logging in again from another machine / with another IP says "you are already logged in". Then they have to wait for the other session to time out etc.
There should be a way to add 3 columns in the database, one for login one for the i.p. address and the other for logged out. There is a timestamp that can be put in the logged in column as well as the I.P. address. When a user logs out a time is put in the logged out column.
When a student logs in it makes sure that the logged out column has a timestamp in there, if it does then it allows them to log in, and changes the log in time stamp, as well as the I.P. address and deletes the previous logged out timestamp. If the logged out column is blank, a message appears that says that they are already logged in and doesn't allow them to go any further.
Not sure how to program this in moodle but I have done something like this on another program that I created.
Someone want to give it a try, I may when I get more free time.
Michael
Isn't there a way to have only a single user signed in at one time? I know that Lynda.com allows one user to log-in at a time and regardless of log-out - when a user signs in from a different location to the same account it kicks off the other user and requires them to log in again - which if they do, kicks off the other user. Perhaps something like this will circumvent the issue. Allowing users to log-in from different locations but automatically logging out any other users with the same credentials that are on at the same time?
Why?
If a user wants to sign in twice why shouldn't they? Just about all the bodges to prevent this are liable to be unreliable and prove frustrating for your users.
Some learning institutions are concerned about cheating. I was just making a suggestion to automatically log out other users with the same credentials on the system as a workaround to posting an error that says "Whoa you logged into with a different IP address.." Perhaps IP tracking is important to an admin but without the strange issues it creates for random users that forget to log out.
I've yet to be convinced (and this is after years of this coming up) that preventing multiple logins prevents cheating. Depends how you define cheating of course.
In reply to Howard Miller
Re: Two users can log in from two machines at same time!
by Marcus Green -
Howard I suspect it is to do with one of the people being signed in not being the person the credentials suggest they are. However you are correct about any bodge being unreliable and frustrating, which is why this fix is a rarity on the web.
Note about the word bodge, in Australia a job can be bodged and it can also be a bodgie job. In the UK a job can be bodged but it is never (normally) described as a bodgie job. English, what a language.
In reply to Marcus Green
Re: Two users can log in from two machines at same time!
by Christian Herman -
Meanwhile, in the States, I've never heard that word before!
In reply to Christian Herman
Re: Two users can log in from two machines at same time!
by Howard Miller -
....it means a carefully thought through, well planned and thoroughly tested solution to a problem