Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By marynz on
Hi
We need some work done on website security
The problem:
We live stream pay to view events, some people are sharing passwords and only paying once, we need to prevent this without annoying the majority who are not doing this.
Our solution to this:
Limit sessions to one user, and have the oldest session as the active one, and have browser automatically log people out on browser close. Admins need to be able to close sessions in case people are locked out
We have tried the following:
- session limit module. This successfully limits to one session - however if the option is that all additional log in attempts are blocked, (ie the first session stands as active), the user can get themselves locked out if they do not log out, say if they close the browser without logging out, and then re-open their browser and another session is started.
If session limit is set up to dump the older session and always allow the new session, the dodgy people could take it in turns to log in and set up the live stream page… then they would all be watching. This is because the video plays regardless of log in status and user activity. Similar to the fact that you can still see the balances of an online banking page even though the session may have expired. The user would only be forced to re-log in once they refreshed their page.
- session expire module. We used this to end sessions to try to get around the locked out problem with session limit module, however we don’t want the legitimate people to be forced to log in part way through watching a live stream. (they can be 4 or 5 hours long). And it really doesn’t help me with people accidentally getting themselves locked out, they will want to get back in immediately and not wait for the session to be dumped.
- I used cleaner module to force dump the contents of the session table on cron run (for some reason sessions table wasn’t being emptied on cron)
- I changed settings.php - session.cookie_lifetime to 0 to try to force log out on browser close, also to try to get around the potential for blocking users who haven’t logged out properly. This is not working.
Im out of ideas and need a solution, if you are interested please let me know.
thanks
Comments
Your requirement "have
Your requirement "have browser automatically log people out on browser close" is technically unsolvable. You can have some limited success with some browsers, but no more than that.
The workflow needs to be changed - any new session kills the older one, the streaming only works for the last person logged in.
Hills Web
Hi Alex Thanks for your
Hi Alex
Thanks for your response. I did wonder about the log out on browser close, but saw a lot written about it on drupal.org so thought it must be able to be done somehow.
Your suggestion would work if it is technically possible, do you think this can be done? At the moment the stream continues even after the session is killed. It's only when the watcher refreshes the page that they see the you have been logged out message.
mary
Mary- I'll PM you. What you
Mary-
I'll PM you. What you want to accomplish is doable, but I'm not sure how much can be done with stock drupal modules. (Even the detection of browser window closing is possible.)
-Eugene
Solution
Hi!
Its possible to achieve partialy.
The way is simple - use session_limit module with option to dump previous sessions + add add a jquery script that will intercept browser close event and ask user if he really want to logout - if it is then call logout url by ajax.
On player page you may add an ajax that will periodically check if session active and if not it may stop playing the player. To block option to play again or download video - you need to create a download module that will provide custom download url that will check permissions before download/playing.
D.