I'm not even sure that this is a sensible question. However, is it possible to detect programatically if some arbitrary Moodle user has an active session? That is identifying a user who has logged in but not logged out.
The step2 to this is can the session be tampered with to 'force' people to log out.
What I want to do is to check for users that have not logged out (on some criteria) and force them to logged out.
I haven't really thought this out, but that's the general idea.
The user table does hold the two fields "lastaccess" and "currentlogin". Correct me if I'm wrong but as I understand it the lastaccess field is updated each time the user requests another page (not updated on input/typing) and the currentlogin is only updated when the user actually logs in.
You can't really use these alone as a user could be working for some time on inputing data, upon submitting the info it would be criminal to return the login page and the user would have lost all that work (unless in firefox).
You can't even use a JavaScript setInterval check as I first thought you could read the page text and check it against the last text read and update a none change value. upon no changes log them out, but what if they are researching or reading a book for references whilst half way through writing a document to submit.
Can I ask why you want to force a log out or under what condition?
There may be a way depending on what condition.
How about generally looking up the current sessions? Is there any way to find the session based on the user_id or vice versa? If you could get to the session data then you could use something in that data as an indicator maybe.
Also, isn't it a general best practice to put keepalives on all edit pages? (not that this means it is done but maybe it is worth looking at?)
Also, isn't it a general best practice to put keepalives on all edit pages? (not that this means it is done but maybe it is worth looking at?)
Well it's the old "I don't want two users using the same account at the same time". I've never been very happy with the solutions offered in the past and I'm just casting around for any other possibilities.
I guess I was wondering if it was possible to say "does user x have a current session and can I read the contents of that session?". Sounds like exactly the sort of thing that would not be permitted by PHP
I guess I was wondering if it was possible to say "does user x have a current session and can I read the contents of that session?". Sounds like exactly the sort of thing that would not be permitted by PHP
I think this would be best implemented as a block that is hidden as it would need another table adding for when the user logs in, it could then be turned on and off for when admin wish to login as a user too, although there is a feature for this already but i'm not sure what interactions are involved so i'd add another table, I'm sure it can be done within Moodle but right now it's more a matter of finding the time to do it as I'm not the fastest coder.
Here is my basic idea:
The table would need just 2 fields userid and authval.
When the user logs in it would look for a record in the table for the userid. If it finds a record it would update the authval with a new random number, if no record found it would insert one
The block would then call a function that would check the $_SESSION['authval'] against the table to see if it is correct. If not, kill the session.
Thats it really.
If I get some free time then I may look at putting it together if there is a demand.
You can see all session data by calling the function: print_object($_SESSION);
I've found the print_object function is your friend in Moodle
Yep. I was thinking about something similar.
I have not fully thought it out but I have an idea that I would also include a time stamp to cover the possibility of a user "walking away". If there is an entry in the table but it is old (more than 30 minutes say) then allow the login anyway.
Would also need to think about some hooks in other places to make sure the entry is removed when a user logs out. Maybe a cron based cleanup too.
I had also though about implementing this as a block. I like blocks
It would be even cooler to implement as an authentication plugin as there are hooks for a lot of the needed functions but there are issues too - mainly the users won't have the correct auth type 
Still thinking!!
I have not fully thought it out but I have an idea that I would also include a time stamp to cover the possibility of a user "walking away". If there is an entry in the table but it is old (more than 30 minutes say) then allow the login anyway.
Would also need to think about some hooks in other places to make sure the entry is removed when a user logs out. Maybe a cron based cleanup too.
I had also though about implementing this as a block. I like blocks
Still thinking!!
The timestamp is already in the user table so the block can access that already. It would just duplicate data as far as I know.
A nice point of blocks is they can be site wide or just set to pages that you want to prevent two users accessing at the same time under one account.
You have raised a very good point with regards to authentication from external locations/pluging like mnet and oAuth and there must be many more I know nothing about, however, once logged in I guess the "lastaccess" field would update when the first page is loaded for the user coming in externally.
hmm. Its a good puzzle. I don't understand why you would want to log them out after a time though, or are you after saving resourses? If another user logs in on the same account then the previous users session would be killed anyway. You would just need the userid and the current auth value stored in the session. Hope that makes sense.