fjarrett / prevent-concurrent-logins Goto Github PK

It would be handy to have one.

Without this plugin visiting other sites authentication is automatic. Meaning, it is not required to login to each individual blog on a multi-site installation.

With this plugin, visiting other sites, authentication doesn't occur. Meaning, it is required to login to each individual blog on a multi-site installation. This action logs you out of all other blogs in the process, dooming the ability to authenticate once for the entire network.

This suggestion was proposed by @nutsandbolts:

After trying out the plugin, my only suggestion would be to have the option to allow concurrent logins for administrators. I often switch between my laptop and desktop when working on my own sites, and having to log in over and over is driving me crazy.

This suggestion was brought up in the forums for membership sites where page reloads may not be performed very often.

This could be achieved by polling the page with JavaScript, an easy thing to with the Heartbeat API. When an old user session is detected the user could be immediately logged out.

Additionally, a filter could be exposed to redirect the user to the URL of your choosing (such as the homepage), rather than destroying the session and always being sent to the login screen.

There are performance considerations to take if a feature like this were to be added, however, the plugin could simply gracefully degrade and require a page reload if the Heartbeat API is disabled - which you should be doing anyway if performance is a concern for you.

Is it possible to set the allowed number of concurrent sessions? For instance 2 for all users?

@fjarrett Do have an idea how to restrict WP sessions to the initial (at login time) IP address?
I'd like to implement it.

Currently, old sessions for users are only destroyed when users login, they are not destroyed automatically when the plugin is activated because the code is designed to affect $current_user only.

This would be a nice feature to add so that immediate results are seen instead of having to wait for every user to take action. Even with several tens of thousands of users the process should be lean enough to run in only a few seconds.

See this comment by @chuckreynolds in a related project: fjarrett/user-session-control#2 (comment)

when logging in as super-admin on main blog or any blog in multi-site installation causes a re-direct loop with these url arguments http://example.com?redirect_to=http%3A%2F%2Fexample.com%2Fwp-admin%2F&reauth=1

Could you add two hooks here to provide logging?
https://github.com/fjarrett/prevent-concurrent-logins/blob/master/prevent-concurrent-logins.php#L68-L72
One for destroy_other and destroy_current.

When there is automatic logout login page shown. But only on admin pages. I have wocommerce subscription webpage and want to logout user on open normal pages too. Can i do that?