Concurrent user login -session logout

[spomytkin]

https://github.com/Alfresco/alfresco-community-repo/blame/f3e0c43f3b32de6c4a6644e8b42679825783f98f/repository/src/main/resources/alfresco/repository.properties#L563

Trying to solve problem opposite from https://hub.alfresco.com/t5/alfresco-content-services-forum/concurrent-user-login-session-logout/td-p/306991
for some reson there no way to post qustion to this forum ( post apear to requre "Choose a board" and it's empty) so asking here:
Original question was “How to prevent the same user login in different systems in the alfresco or how to inform the user that another system trying to login using the same user?”
I need users automatically logged out of their previous session when a new login attempt is made.
per documentation "authentication.ticket.useSingleTicketPerUser=true" should just do, but new browser session doesn’t cause logoff (e.g. if I open a new anonymous window it ask for login and both sessions keep logged in).
Configuration - plain Alfresco version 6.1.0 (e.g. no SSO)

[jottley]

Not an indication that I can answer the question yet...but for clarification: You would like to invalidate any previous/current session for a user when that user logs in elsewhere and a new session is created. Is that correct?

[iwkse]

Yes, it should be exactly like that. Having a single session per user.

[jottley]

So I think what you maybe after is this

alfresco-community-repo/repository/src/main/resources/alfresco/authentication-services-context.xml

Line 640 in 9f6ef99

<property name="oneOff">

This is deprecated so no direct way to set the property except to modify the bean in the xml. The code is still in place. You would get a warning when it is set to true. It doesn't work in a cluster as it just removes the ticket from the in-memory cache. But I believe that it will remove the ticket for the existing session when a new attempt to validate the ticket occurs.

[iwkse]

Wouldn't this recreate the ticket after each call instead of being a ticket per user?

[spomytkin]

correct. invalidate any previous/current session and Idealy indicate reson in UI (e.g. log off message).

"oneOff"

• create new ticket for each call (e.g. REST calls)
  one I'm after is for single ticket per user, not single use:
  ${authentication.ticket.useSingleTicketPerUser}
  

[jottley]

Then it might not be an OTB solution. Looking at the code I am not sure that I see a configurable way to achieve it.

[spomytkin]

Then it might not be an OTB solution. Looking at the code I am not sure that I see a configurable way to achieve it.

I see in

alfresco-community-repo/data-model/src/main/java/org/alfresco/repo/security/authentication/InMemoryTicketComponentImpl.java

Line 203 in 9f6ef99

if(useSingleTicketPerUser)

if(useSingleTicketPerUser)
{
ticket = findNonExpiredUserTicket(userName);
}

• looks like it just reuse same ticket

Would you mind a quick conversation - to make sure there is no OTB and if so, discuss potential enhancement (shouldn't be terribly hard to check on login if there is already a session for a given user and invalidate it)? It would be simpler if we could look at the code you are referring to and discuss solution.

I’m on EST and my google account (gmail, etc.) same as github profile - spomytkin.