We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

How can i restrict multiple logins | Forum

We The People United We Stand
Is there anyway to avoid someone from giving out their login credentials to friends and they all login with one user name?



We The People United We Stand
With a two stage logon that will still allow multiple people to sign in with the same logon.
dave Leader
dave Jun 16 '20

Interesting, since the login itself is the only thing being regulated, i am curious if userA logs in as admin using the 2FA number, then userB logs in under the same account and userA gives them the code from their phone.  Then you have two users under the same account.


I use 2FA for alot of my stuff and i suppose if i gave out the code when they logged in it might work.  It would be interesting to test but would have to be on two dif ip.  I dont think using just two dif browsers would be a sufficient test.

dave Leader
dave Jun 16 '20

correct, its one use for userA and one use for userB and userC ..... and so on    as long as the current code value is shared with whoever needs it, i think it would be possible.


So yes 2FA is very secure if you dont give people codes, but lets say that two friends want to log into admin, the current code can be input, then another code can be shared and input for the second login.  I think that would work.

dave Leader
dave Jun 16 '20

yes you are right of course however i was looking at it not from a how it works now but how could it work if a admin wanted to let his friend login as admin as well.  And i am talking in general 2FA terms not specifically how this plugin works or does not work.


I currently use two types of 2FA - google authenticator and the instant message version.


I wont go into how each works as most know it and if not there is a youtube of it.  Im sure you are well aware of both.


For both the security lies in the fact that a cell phone of the user is involved for authenication but that can also be bad if you lose your phone or the phone number for some reason.


Since the phone is involved, here is how one might do it IF they wanted their friend to log in to their account at the same time.


User A - logs in gets the code from the phone and finishes the log in.


UserB  - 1 min later from a different location, logs into the same website and regardless of which 2FA they use, calls userA  on the phone and says hey whats your code, (because now userA has a new message with a new code) UserA gives them the code and userB then finishes the login and both are logged in at the same time.


What 2FA does not do is check to see if the user is already logged in to the site and if so it refuses the new code instant message.



The Forum post is edited by dave Jun 16 '20
dave Leader
dave Jun 16 '20

Correct :)  which can be stored using cookies or session or db storage. Then just checking OW::getUser()->isAuthenticated( )  upon login. Those stored values can be used for extra validation. Although cookies is not really secure.

The Forum post is edited by dave Jun 16 '20
We The People United We Stand
Your knowledge is admirable.  Unfortunately mine isn't so is there a easy way?
dave Leader
dave Jun 21 '20
With out a plugin, 2FA usage, or custom coding, no.     You can however add that policy to your terms as a no tolerance policy and then repremand them if they do so. 
We The People United We Stand

Thxs Dave


If i can, do you know of any plugins or a way to easily create video playlist's?


Again thxs Dave.  Be well to you and yours.

The Forum post is edited by We The People United We Stand Jun 22 '20
dave Leader
dave Jun 22 '20
Thanks, no i do not, but that does not mean there is not one there, i just have not noticed it.