16

Passport by default allows the same user to login from multiple browsers and have unique sessions created. How can I configure it to destroy the first session when the user tries to create a second session?

Currently I'm using the 'Sessions' model to add the username to the record and upon subsequent login check by username if the sessions exists. But this increases traffic to the db. I'm thinking express must be doing it already or made to, keep the 'logged in users' information in memory so that the process can be simplified. I'd be thankful for ideas around how to achieve tweak with express for this purpose or any other workaround/suggestion. Much thanks!

vivekanon
  • 1,813
  • 3
  • 22
  • 44
  • IMHO keeping the logged in users information in memory isn't a good idea as this approach will fail in case you decide to use some sort of clustering/multiple processes. One "easy" solution that comes to my mind is storing that data on redis/memcached. It will still require you to make a "query" of some sort but I doubt it will degrade performance (noticeably). – eymen May 26 '15 at 15:01
  • About my answer. Is it help you? is it solve the issue? – Aminadav Glickshtein Feb 24 '16 at 10:31

2 Answers2

6

I saw that at least 4 users upvote this question, so I decided to create passport-strategy for that. The new strategy called passport-one-session-per-user. It's open source strategy you can access here: https://github.com/AminaG/passport-one-session-per-user

How to use it? add it right after session. For example:

app.use(passport.session())
var passportOneSessionPerUser=require('passport-one-session-per-user')
passport.use(new passportOneSessionPerUser())
app.use(passport.authenticate('passport-one-session-per-user'))

Not need for settings, or configuration.

How it is works?

The strategy, created an array that contain serializaed user objects, and sessionID.

Every time user logged in, the strategy check if the user already logged in. If so, it's flag the other session. The next time the user in the other session make a request, the strategy see the flag, and log the user out.

Aminadav Glickshtein
  • 23,232
  • 12
  • 77
  • 117
  • I have come across this answer (but have posted my own question around the same topic here https://stackoverflow.com/questions/51419037/one-session-per-user-passport-js) Would it be possible to use your module with my current setup? Thanks – Richlewis Jul 19 '18 at 10:34
  • So what stops someone from signing in from another computer or browser with the same password? – stromyc Apr 21 '21 at 20:19
1

I'm thinking express must be doing it already or made to, keep the 'logged in users' information in memory so that the process can be simplified.

I believe the session model loggs the user in, and saves only that logged-in-ness in the session cookie. The server itself has no clue about who is logged in, but just checks this state in the (signed) session cookie provided by the browser.

You can write your own Passport.js strategy to handle it differently.

geon
  • 8,128
  • 3
  • 34
  • 41