How can I use code to limit users from sharing there ids and password and login muliple times? what i want to do is not allow the user to login multiple times at the same time.
How can I use code to limit users from sharing there ids and password and login muliple times? what i want to do is not allow the user to login multiple times at the same time.
This will log a user out of all other sessions before logging in. Essentially ensuring that a user will only be allowed one session at a time.
add_filter('authenticate', 'wpse_12282015_single_login_authenticate', 0, 3);
function wpse_12282015_single_login_authenticate($user, $username, $password) {
$user = get_user_by('login', $username);
if( isset($user->ID) ){
if(isset($user->roles) && is_array($user->roles)) {
//check for admins
if(in_array('administrator', $user->roles)) {
// admin can log in more than once
return $user;
}
}
// get all sessions for user
$sessions = WP_Session_Tokens::get_instance($user->ID);
// destroy everything since we'll be logging in shortly
$sessions->destroy_all();
}
return $user;
}
$sessions = WP_Session_Tokens::get_instance( $user->ID );
if ( $user->ID === get_current_user_id() ) {
$sessions->destroy_others( wp_get_session_token() );
$message = __( 'You are now logged out everywhere else.' );
} else {
$sessions->destroy_all();
/* translators: %s: User's display name. */
$message = sprintf( __( '%s has been logged out.' ), $user->display_name );
}
Other answers don't give enough context about when to use a function like wp_destroy_all_sessions() and the answer by jgraup allows logging in without a password.
I wanted to kill all other user sessions besides the latest one (current), and only for non-admins.
// Only allow one user session at a time.
add_action('wp_login', function () {
if (!current_user_can('administrator')) {
// Destroy other user sessions.
$userId = get_current_user_id();
$sessions = get_user_meta( $userId, 'session_tokens', true ); // The array of session tokens for this user.
$sessions = array_slice($sessions, -1); // Keep only the last session.
update_user_meta( $userId, 'session_tokens', $sessions ); // Save the updated array of sessions back into user meta.
return;
}
});
This code uses the login hook to pull the current user's session from the user meta, truncate all but the last one (most recent), then save the sessions back into user meta. See: Membership Feature: Restrict Users to One Active Session in WordPress.
The main problem here is that HTTP has no sessions and therefor you need to introduce some session start and end at a higher level. The way wordpress defines sessions is for 2 days after a login or until a logout.
The problem is that users very rarely logout of wordpress which means that once a user had logged in it is impossible to use his account from another computer, or even another browser at the same computer for 2 days even if it is the same user trying to gain access again.
So the devil here is in the details, how are you going to prevent logged in sessions from continuing forever, maybe at the cost of UX, or how a user can "close" a session from another browser.Robert's answer (and Otto) is totally wrong, you can do that using the existing hooks but the naive approaches (for example set a transient when a user logins) will probably lead to an usability disaster.
For anyone reaching this page looking for an answer, there's this plugin that does exactly that: https://wordpress.org/support/plugin/loggedin/
Resurrecting an old thread because WordPress now has a one liner to fix this problem
simply call this following function in your plugin's init hook (or similar)
wp_destroy_all_sessions()
Ref: https://developer.wordpress.org/reference/functions/wp_destroy_all_sessions/
By Otto.
Not, easy. Quite a lot of hacking would be needed.
WordPress doesn't have any idea who's "logged in" at any one time, because there's no system for tracking that in any way. When you log in, a cookie is set on your browser with your username and a code representing your password. Every time you access the site, that cookie is checked and you are identified as you.
So, it's not like you're maintaining a permanent connection or using some kind of session. You're "logging in" every single time you hit the site for anything.
To do what you're wanting, you'd have to rewrite a lot of the login and authentication system to use sessions or something similar.
WordPress does not have such system to store sessions in database, by default.