Moodle in English: code to prevent multiple login with same ID is here !

I've had trouble with users login in with the same UserID and password. To prevent this, we have made some code {attached} which needs to be tested. It seems to work for me on 1.5.2+, only on MySQL.

What is done in the code is :

1. Create a new database field which stores the session key of a logged in user.

2. If another user logs in with same UserID, the session key is overwritten with the new Sessionkey.

3. This will logout the first user the moment he clicks into another link.

I understand there are flaws in this logic. If users keep login in again and again, each user gets logged out the moment another logs in. The idea is, the actual user should change his password when he sees this happening.

This ensures that only one user is logged in with one userID at one time.

I need help on the following :

1. I have no installation of Postgres to test this on, if someone could do this and post the edited code, it will help other users who need this.

2. If anyone has better ideas, suggestions or can improve the code, it would be great !

readme.txt

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by allen tseng - Thursday, 23 February 2006, 6:30 PM

Hi there,

We have try it on 1.5.3+, but not work. Will this patch still work on 1.5.3+ ??

thanks in advance,
Allen

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Nandini Biradar - Monday, 9 March 2009, 3:04 PM

We are using a moodle to deliver educational courses on internet , we are using moodle 1.7.1 , in this version multiple user can access the course by single userid , is it possible to restrict one login by one userid.

i was achive with session id but i got bug at browser closing,if user close browser directly then user are not able to loging again bz session id remail as it is in database. that destroy only on logout button.

so plz any body else know sagess me,This feature is very important for us. If this is possible please explain me how to do it .

Thanks in advance.

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Mike Worth - Monday, 9 March 2009, 6:10 PM

How about checking for activity within the timeout period? Say it's set to 1hr then, even if the user didn't logout, if they haven't done anything in the past hour then they will timeout anyway so assume they've logged out.

Mike

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by selva kumar - Sunday, 29 March 2009, 12:32 AM

i also have the same problem.. if u found the solution please explain me how to do it.

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Tim Hunt - Thursday, 23 February 2006, 7:51 PM

I don't understand why it is a problem if one user has two simultaneous sessions. Could you explain please?

Thanks,

Tim.

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Iñaki Arenaza - Saturday, 25 February 2006, 5:26 AM

I guess the problem shows when you charge for your courses, and someone pays for one access account, but lots of users use it simultaneously.

Saludos. Iñaki.

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Anil Sharma - Saturday, 25 February 2006, 3:33 PM

thats one of the problems. There are other problems :

1. Students share their accounts and ask someone else to do their homework / assignments even while they are using the system from somewhere else with the same ID

2. sometimes passwords get leaked. while a student is logged into chat, another student logs in with the same account. now both are chatting at the same time with one ID, one writes good things the other writes crap, both appear from the same userID !!

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Michael Penney - Saturday, 25 February 2006, 9:20 PM

On the other hand, it is great for testing things on different browsers while developing new features.

The problem I can see with this is that the system doesn't really 'know' which user name is which. In your scenario, good student gets logged out when bad student logs in. If bad student keeps doing this, how does good student change their password? If bad student does it during an exam, it's very bad for good student.

How about a password expiration feature, that would make all users change their password every X times (or hmmm, an option to forces users who have logged in from two different machines to change their password on next login)?

Password expiration can also be accomplished using an external password management system like LDAP.

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Jonathan Moore - Sunday, 26 February 2006, 1:46 AM

The other problem I see with this solution is it doesn't seem to address the real problem which is that the students are purposefully sharing their passwords. This can still happen and to the benefit of the students involved. There sounds like there are two classes of problems here.

1) Students giving out their account info inorder to cheat.

2) Students whose passwords have been compromised probably due to carelessness and other users making innapropriate comments with said compromised account.

To deal with #1, my suggestion is to develop a way to analyize your logs to find multiple instances of a user login along with IP. It seems you have already done at least part of this.

Another analyses should give you a list of user logins from a give IP. The offending user will probably have logins from both the illegal account and their true account. This would give you a way to identify both students involved in a cheating arrangement for appropriate punishment.

Or if you host the computers you can use the IP and time stamp to find out which student was actually using the account at a give time.

Our district's policy is that you are responsible for what happens with your account. IE make the student responsible to keeping their login private. This would give you an easy enforcement mechanism. We include this in the AUP that students sign.

For #2 you can just use good password rotation and selection policies such as Michael mentioned.

Finally I heard from someone about a modification to moodle that randomly asked the student a series of personal questions from a database. Things like mother's name, favorite color, address, so one. I believe these were used specifically to lock down quizes and tests. If I remember correctly this was something that Mike Churchward put together.

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Michael Penney - Sunday, 26 February 2006, 2:39 AM

Finally I heard from someone about a modification to moodle that randomly asked the student a series of personal questions from a database. Things like mother's name, favorite color, address, so one. I believe these were used specifically to lock down quizes and tests. If I remember correctly this was something that Mike Churchward put together.

Mike may have also, but we (mostly Mark Nielson) did this for a client for the lesson module, though it is not a standard component.

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Martín Langhoff - Wednesday, 10 September 2008, 8:16 AM

For #2 Gmail has recently implemented a nice subtle warning and a tool to help you regain control of your acct if you sense trouble.

Look at the bottom of any gmail page while you're logged in. The "Last account activity..." bit of info, and the "details" page. If you login from several machines at the same time, it shows that too.

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Damir Nemcanin - Friday, 22 January 2010, 10:54 PM

One user can start quiz from one computer and another personcan login with same username and continue that quiz. If they have same IP wecan't prevent cheating, because log file show user with same IP, and will notshow second login.

They can have same IP if the whole school has one public IPand moodle server is on another IP.

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by S. Lupo - Friday, 24 February 2006, 12:08 AM

Hi,
I did it much shorter. Just 2 lines of code wink

Add the following line to 'login/index.php' after line number 125:

set_field('user', 'sessionid',session_id(), 'username', $USER->username);

and replace the first if-statement in the function 'require_login' in 'lib/moodlelib.php' with the following statement:

if (! (isset($USER->loggedin) and $USER->confirmed and ($USER->site == $CFG->wwwroot) and session_id() == get_field('user','sessionid','id',$USER->id) ) ) { // They're not

Finally execute this query to add a new column in the user table (MySQL)

ALTER TABLE `mdl_user` ADD `sessionid` VARCHAR( 50 );

It works perfect for me.
regards
   Lupo

Average of ratings: Useful (2)

Vast: Re: code to prevent multiple login with same ID is here !

by Tomi Räsänen - Tuesday, 22 January 2008, 9:26 PM

Is this the current solution to this problem? Or is there a another way to do this? Like implemeted in Moodle 1.8.3?

I am asking this because this article was datet 24th of Feb, 2006.

BR

-Tomi

Average of ratings: -

Re: Vast: Re: code to prevent multiple login with same ID is here !

by Pedro Guevara - Friday, 29 February 2008, 12:51 AM

Hi Tomi:
Have you tested the "old" solution in Moodle 1.8*
Does it work?

Thanks

Pedro

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Pedro Guevara - Friday, 29 February 2008, 12:52 AM

Hi Lupo:
On what Moodle version have you tested your solution?

Thanks
Pedro

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Swagata Paul - Wednesday, 28 May 2008, 4:15 PM

hi,

I have try it on 1.8.4+,but not work. Please help me?

Thanks

Elias

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by josephine yee - Tuesday, 9 September 2008, 3:32 PM

Hi This doesn't work also in 1.9+...

The sessionid in the database is updated...but the login screen wouldn't even login...

Do you have the updated codes for 1.9+?

Thanks.

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Michael | - Friday, 12 September 2008, 12:19 AM

I was able to get this to work, still testing though but is looking good.

I added the set_field code mentioned above to login/index.php right after "if (empty($errormsg)) {" on row 141.

In the moodlelib.php, instead of the above if statement, I modified the existing one from:

if (!isloggedin())

to:

if (!isloggedin() || session_id() != get_field('user','sessionid','id',$USER->id)) {

I still testing but so far so good.

M=

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Michael | - Saturday, 20 September 2008, 4:49 AM

I also added this to moodlelib.php require_logout() right after the first if statement ( if (isloggedin()) {):
set_field('user', 'sessionid',null, 'id', $USER->id);

I also changed the code on the login/index a little.
I add this right after the update_login_count(); and before the "if($user)"

if( get_field('user','sessionid','id',$user->id) != null)
{

//then the user is already logged in so cannot log in
$errormsg = "This username is already logged in the system!";
$user = null;
$USER = null;

}

Added this line right after if ($user) {:

set_field('user', 'sessionid',session_id(), 'id', $user->id);

So far so good.
M=

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Kreso Vargec - Thursday, 2 October 2008, 4:49 AM

well, i did it all, but no results.
your code is working if users properly logout from moodle. if not, then they cannot login again

previous code is not working if user logs from another browser. i'm talking about moodle 1.9+
i'm trying with extra cookie ( until the end of the session ), and it is working ok, but not in all occasions.

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Agam Nag - Monday, 11 October 2010, 5:04 PM

Hi Mike;

The solution works partially as in my case, the 'sessionid' does not get cleared by set_field('user', 'sessionid',null, 'id', $USER->id); when the user logs out.

Once it stores the sessionid, it remains there.

Thanks

AN.

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Gaurav Bansal - Monday, 21 September 2009, 10:23 PM

The solution does not handle the scenario where the user directly closes the browser window without clicking on logout link.

Is there any mechanism to handle the callback when the user closes the browser window, such that value of sessionid column could be reset.

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Clancy Hood - Sunday, 2 September 2012, 7:19 PM

In Moodle 2.3+, I managed with the following:

SQL:

ALTER TABLE `mdl_user` ADD `dbsesid` VARCHAR( 50 ) NOT NULL AFTER `auth`

Then, in lib/moodlelib.php, 3 edits.

In function complete_user_login, add the global $DB, then after the if statement `if (isguestuser())` and before plugin auth:

$DB->set_field('user', 'dbsesid', session_id(), array('username' => $USER->username));

In function require_login, just before existing if statement `if(!isloggedin())`, add the following :

if(isloggedin()){ $db_ses_id = $DB->get_field('user','dbsesid', array('id'=>$USER->id)); $my_ses_id = session_id(); $logged_in = (!empty($db_ses_id) && ($db_ses_id == $my_ses_id)); $multi_login = !$logged_in; }else{ $logged_in = $multi_login = false; } // then replace func call isloggedin() with var $isloggedin in if statement that follows if (!$logged_in) { ...

Finally, in the 'else' block within the if statement, just before the 'redirect(get_login_url());'

if($multi_login) require_logout();

Effect is that any second user logged in with same credentials as another will log out the first. As soon as the first navigates to a new page they find themselves at the login screen.

P.S. I have not tested the effect this has on guest access since we don't use it. I think it should still work tho

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Swagata Paul - Thursday, 29 May 2008, 3:22 PM

I have tested readme.txt file on 1.8.4 + but it does not work??

Thanks

Elias

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Rick Bianchi - Monday, 15 September 2008, 5:22 PM

Is this work for moodle 1.9+ ??
Thanks

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Hemant Karandikar - Monday, 15 September 2008, 7:40 PM

Sorry didn't mention that.

Yes it is Moodle 1.9 + (Build: 20080311)

Thanks

Hemant

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Kreso Vargec - Saturday, 20 September 2008, 5:07 PM

it's not working!
for example, students can have 2 different browsers, so there is 2 different session id's .
you can add a flag to user table, but then you must force people to log out ( clear the flag ).
It looks like there is no way to prevent cheating ( but still working on it )

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Michael | - Saturday, 20 September 2008, 9:50 PM

This is working for me. Different browsers and/or even different computers, it will only allow one user per username.

Did you modify the user database table to add the sessionid field?

M=

Average of ratings: -

回應: Re: code to prevent multiple login with same ID is here !

by jeff chang - Monday, 23 March 2009, 2:10 PM

multiple login looks not just a problem, it almost a bug in the system, really wish can see the new version have a building option for this

Average of ratings: -

Re: 回應: Re: code to prevent multiple login with same ID is here !

by Bryan McCrae - Wednesday, 2 September 2009, 11:20 PM

I'm new to Moodle so please forgive large amounts of ignorance here....but is there an answer to preventing multiple people from sharing one user Id and password ? Were offering a paid to use course and need to prevent this.
Is the answer cookies, session-ids, ip-addresses or a simple configutaion option ?
Is it coming in Moodle 2 ?

Thanks

Bryan

Average of ratings: -

Re: 回應: Re: code to prevent multiple login with same ID is here !

by Marco Filippetti - Tuesday, 15 December 2009, 9:13 PM

Guys, I have the same problem as Bryan's. We are offering a paid online course, and if multiple users can login using the same ID / Password, we are loosing money. There has to be an easy and functional way to prevent this to happen, or Moodle simply can't be used to offer paid courses.

Is there a feasible way to implement this, at all?

Many tks!!

Marco.

Average of ratings: -

Re: 回應: Re: code to prevent multiple login with same ID is here !

by Stuart Buck - Wednesday, 16 December 2009, 12:27 AM

I've not experimented much with the authentication login in Moodle but I have stopped multiple same account sessions before in many systems.

I add a field to the user account to store the current auth_value, this is a random number from 9999 to 999999. When a user logs in this is set in the db as well as a $_session['auth_var'].

Each page that calls "login check" checks the value in the db against the value in the session and if different it kills the session logging the user out with a header redirect and exit(0);

The next time a user logs in the value is reset and with it the session auth number.

I've not experienced any issues with this method before as it does not care about ip/mac or isp location that many systems get overly complicated with as many rogue users try proxie servers to hide thier ip. It just sets the value on every login and checks for it as and when required that the two values match.

It won't fix the problem when a good user gets logged out from a rogue user jumping in but it should highlight the problem to the genuine user if they keep being logged out. This could be easily expanded to log the time and ip the user last logged in by and if within a short time log it in a problem account table to send an email or inform the admin in some way.

just a thought.

Average of ratings: -

Re: 回應: Re: code to prevent multiple login with same ID is here !

by Marco Filippetti - Wednesday, 16 December 2009, 3:03 AM

Stuart, this sounds interesting... but to be honest, I don't know even where to start to implement something like this

Can anyone help with Stuart's idea?

Tks a lot Stuart!

Marco.

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Vicki Dunnam - Saturday, 30 January 2010, 12:05 AM

I am checking to see if this has been fixed. I read through your discussion but got lost on all the revisions to the code.

Can you tell me if you can prevent students from logging into Moodle more than once with same ID. I have found that students will login to Moodle and open course with notes and then login again to take a test and can switch back and forth while taking a test for answers from notes.

If there is some code that needs to be changed, can you please send them to me and the files that need to be changed? We are currently using Moodle version 1.9.7+.

Thank you. my email is dunnam.vicki@mcm.edu

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Howard Miller - Saturday, 30 January 2010, 12:11 AM

Even though this is all a very, very bad idea to start with, none of the solutions suggested will help you at all.

Unless of course you mean that they log in with two different computers side by side but I think you might notice somebody doing that

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Genner Cerna - Wednesday, 10 March 2010, 11:13 PM

facebook has this kind of security feature...

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Damir Nemcanin - Thursday, 11 March 2010, 4:47 AM

They can log from the same computer with two different browser

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Stuart Buck - Thursday, 11 March 2010, 5:14 PM

It just needs a login id stamp as I explained above, that way each login will kill the original session (if it exists) as the new login id stamp will be different.

There is no way to hold the session for one user, you can only end the original login either on a timeout from the server or a new login from the user, the server does not know if the user just closed the browser and logged in with a new one. There has to be some persistence for a unique login.

@Howard, can you explain a little more why this would be a bad idea, I'd appreciate more info as I'm no expert in this area but have had plenty of success with it on previous script based systems, but I may be missing something.

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Amy Dominick - Tuesday, 29 June 2010, 12:44 PM

I found this very useful: http://moodle.org/mod/forum/discuss.php?d=22401

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Clarence Prudhoe - Friday, 16 July 2010, 12:24 PM

I developed a solution for the problem of simultaneous users using the same username and password.

I have a version that works with Moodle 1.9.9 (I have not tested it in other versions).

I have another version that works with Moodle 2.0 Preview 4+ (Build: 20100715). It hope it will continue to work with future versions of Moodle 2.0.

The code and instructions for both 1.9.0 and 2.0+ are in the attached .zip file.

This solution does not require the double login like other solutions I have tried. It is however a refinement of the code suggested in these forums and I want to thank those of you who have contributed these solutions.

Please try this solution and let me know if you find problems or you have suggestions about how to improve the script.

Clarence
www.MusAPP.com

block-simuntaneous-users.zip

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Emanuel Delgado - Monday, 11 October 2010, 6:16 PM

Hello,

We developed an authentication plugin to overcome this issue. I will leave the link here:

http://moodle.org/mod/data/view.php?d=13&rid=4060

Hope this helps.

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Agam Nag - Monday, 11 October 2010, 7:20 PM

Hello:

I have tried Emanuel's plugin and it works flawlessly! It solves the multiple login problem being discussed in several forums.

AN.

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Arthur Moreira - Thursday, 28 October 2010, 3:00 AM

o plugin uniquelogin nao funcionou para 1.9.4

alguem tem alguma dica para esta versao.

quero saber se a alteracao do banco de dados

e dos arquivos php config.php e moodlelib.php funcionam para 1.9.4

o painel fantastico do cpanel oferece a opção de atualização para versão 1.9.9

é seguro atualizar pelo fantastico ou precisa fazer um backup pra restaurar depois?

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Emanuel Delgado - Thursday, 28 October 2010, 4:32 PM

Hello Arthur,

Can you give more feedback about what prevent you from using uniquelogin plug-in in moodle 1.9.4.?

Have you set sessions to use database?

This information is valuable for us to be able to make our plug-in as good as possible for the community.

That said, I recommend moodle update to the latest version.

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Arthur Moreira - Thursday, 28 October 2010, 7:35 PM

Hi. yes, i set the session to use database correctly.

but the user log in one computer, access the material and videos

and in another computer the same user log in too and access the materials and videos normal...

But, the update over the fantastico painel is ricght or i will make the backup and restore?

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Emanuel Delgado - Thursday, 28 October 2010, 8:57 PM

Hello,

I have no experience with Fantastico but in any scenario I always recommend a full backup of Moodle: moodle folder, moodledata folder and database.

More on this in http://docs.moodle.org/en/Site_backup

Let me know if the plug-in works after the update.

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Arthur Moreira - Thursday, 28 October 2010, 10:02 PM

Oi Emanuel

acho que podemos falar em portugues mesmo. ;)

fica mais fácil.

outra coisa.

ví umas alterações que podem ser feitas no banco de dados

e em arquivos php (config.php e moodlelib.php)

vc acha que é realmente precisa fazer essas alterações ou melhor atualizar para 1.9.9 e testar o plugin mesmo.

outra duvida.

estou inserindo o aluno no curso através da opcão de definir funçoes localmente.

acrescento o aluno cadastrado manualmente no grupo students das opções de cada curso.

não consigo criar grupos separados tipo turmas.

nem consegui ainda exibir um forum para trabalhar questoes entre professores e alunos, o forum é como um plugin ou modulo adicional?

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Emanuel Delgado - Thursday, 28 October 2010, 11:32 PM

Olá Arthur,

Por uma questão de netiqueta, nestes fóruns falamos em inglês, se quiser podemos passar a o fórum em português (http://moodle.org/mod/forum/view.php?id=957). Se quiser, crie uma entrada nesse fórum que eu depois respondo.

É melhor fazer uma actualização mesmo.

Tem que usar a funcionalidade grupos que existe na configuração da disciplina e na consola de administração.

Active o modo de edição da disciplina e use o seleccionar um actividade para criar um fórum.

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Arthur Moreira - Tuesday, 9 November 2010, 1:28 AM

Ainda nao consegui

instalei a versao 1.9.9 e mesmo assim o plugin uniquelogin não funcionou

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Isaac Savage - Thursday, 27 September 2012, 10:49 PM

How do you install it? Please tell me what directory to place it in, and how to set it up.

Thanks!

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Chetan Sharma - Wednesday, 2 July 2014, 8:16 PM

Hi Clarence,

Your code works fine when using My SQL Database but when i used MS SQL Database it gives error.

Can you help ?

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Steve Ambro v3.8 - Wednesday, 2 July 2014, 9:45 PM

I would like to test this too.
Is it applied to students only or does it restrict all logins?

Average of ratings: -

Re: code to prevent multiple login with same ID is here !

by Marcus Green - Wednesday, 2 July 2014, 11:41 PM

"it gives error"?

Average of ratings: -