How to restrict multiple logins

Pranjal · January 2, 2025, 6:42am

Is there a way to restrict multiple logins for a user across different or same device??

anon81630622 · January 2, 2025, 7:18am

Yes, it is possible to restrict multiple logins for a user across different or the same device. This can be done by implementing session management techniques, such as:

Session Limiting: Allow only one active session per user at a time.
Device Fingerprinting: Track unique device identifiers (e.g., IP address, browser fingerprint) to limit login to specific devices.
Token-based Authentication: Use tokens (JWT, OAuth) and ensure they are valid only for a single session or device.
Real-time Monitoring: Monitor login attempts and revoke sessions if multiple logins are detected.

These methods help enforce single login access and prevent simultaneous logins from multiple devices or locations.

Pranjal · January 2, 2025, 7:30am

Thanks for info

Can u please outline steps to implement Session Limiting or any other above mentioned techniques.

tflidd · January 3, 2025, 10:51am

With file access control (File access control - Apps - App Store - Nextcloud), you can realize certain restrictions (e.g. access content just via certain ip ranges, time of the day, …).

A session limit like this is not implemented (as far as I know), the problem is that generally you do have multiple sessions per user. For example if you sync your mobile, you have a connection for the app, then you have a connection for the calendar, and a connection for contacts. Nextcloud is a solution to sync data between devices, so why blocking its main feature?

jtr · January 3, 2025, 9:01pm

What do you consider to be “multiple logins”?

Two (distinct) browsers on the same device that happen to be logged in?

And when do you consider a session to be “active” versus inactive? Does it have to be logged out/timed out first? etc.

We might be able to provide specific suggestions if you give us more context about the broader problem you’re attempting to solve.

Pranjal · January 5, 2025, 4:34am

Multiple login means user is already logged in on same or different device & not logged out yet.

ernolf · January 5, 2025, 8:34am

Have you already looked at all the configuration options as described → here ← , especially the directives

'remember_login_cookie_lifetime', which is 15 days by default and can be set to 0
'session_lifetime' defaults to 24 hours if the php garbage collector is not set to a shorter period (on Debian systems this is every 30 minutes by default)
'session_relaxed_expiry' can be set to true so that the php garbage collector or another configured backend (e.g. redis) takes over the expiration
'session_keepalive' is set to true by default, if this is set to false there is no longer a controlling heartbeat
'auto_logout' can be set to true so that an inactive session is automatically logged out, even if ‘session_keepalive’ is set to true

h.t.h.

Much and good luck,
ernolf