Restrict Multiple Logins with same User Id/Email with Session driver as files

Well Laravel doesn't offer this out of the box. If you want to build something like this you will have to do it yourself.

Anyway, the concept should be easy right. You need some way to track the current logged in users by there session.

I think the file session is the least useful here, because you can't see from the file which user it is. You would have to read all the files to determine that. However a database or Redis session can be changed so you can attach a user ID to it.

What have you tried so far? I don't have code ready for this, but maybe we can work out something together!

You won't be able to stop the user opening another tab using the same session. You don't say your use case so this may be unacceptable.

It should be possible to save the user's current IP and prevent them from starting another session from a different IP.

It would be very annoying though. Can you imagine working on this forum at home for instance then getting to the office and being told I could not log in unless I logout on my other session, or I wait for 2 hours?

Thanks for your reply @Snapey , @bobbybouwmann

Here my requirement is, user should not be able to login in different browser or in different system not in the same browser session.

For that I m thinking of keep a bit in users table, at the time of login, I will update that bit as logged in, and at the time of logout, I will reset that bit. If user not logged off properly how to reset bit for that user? (anyway I would give the list of logged in users for admin to update the bits). Is there any way to find the users with no activity for 2 hrs?

Thanks

You cannot do anything based on logout as the user can just close their device and walk away.

You don't need to do anything after 2 hours, you can wait to check when they next login.

You will though, need to record that their session is alive each time they interact with the site by updating a last access value in, say, the users table.

If they logout then clear this from the user's table.

If they try to login and it is less than 2 hours since they last used the site, then they should really have a session still, so if they are needing to login then they are on a different device.

2 hours should match whatever you set for the session length.

This will be complex to get right so be prepared for complaints from users that cannot login for some reason.

@Prabhakar Well you can use an API on that frontend that will send a call every 5 minutes to the backend to tell that it's still online. If there is no response after 5 minutes you know the user is logged out or at least the tab isn't open anymore. However this might not be user friendly ;)

do you create a solution for this? im looking for something to do this, to avoid logging twice with same credentials

it is also possible only use of laravel session key and token but one problem with laravel session key user must be page refresh then after logout not without page refresh. so, here we are also use google firebase and done prevent block multi login in laravel application.