Restict single session for a user in google account

Question

Is it possible to force google to create only one session for a single user?

I have created services in GAE, that uses google id to autheticate users. Now a single user creating multiple sessions from multiple PCs by sharing his username/password. I want to restict this.

In simple language after successful login the application should sign out all other session for this user.

In gmail there is a link at the bottom of the page by the name last activity details. On clicking details it shows current sessions and also give option to log out other session. I want same functionality programatically.

There is one more option: before logging in detect whether the user is already logged on?

Have a look at this

http://mail.google.com/support/bin/answer.py?ctx=%67mail&answer=45938

see Concurrent sessions

If this information can be accessed somehow i can take appropriate action.

Answer 1

There is nothing that prevents you from storing login details in Google App Engine Data service. As a consequence, you can store all login details for a user in its associated object. As a consequence, I would say there is no difference between GAE and a traditionnal web application - excepted that you'll store login infos in database, instead of letting your web front-end handle it.

Answer 2

It's certainly possible.

If you're using Google Accounts for authentication, a user logs in by posting their credentials to Google, and Google returns an authentication token to your site which is then stored as a cookie in the user's browser. The token is good until the cookie expires (24 hours by default) or until the user logs out.

If you want to track multiple login sessions, you can write handlers designed to run after login or logout. If your normal post-login return URL is "/do_stuff", you might change this to "/finish_login?next=%2Fdo_stuff". In that handler you could create an entity in the datastore representing the session, with a reference to the Google Account, the IP address that logged in, and the login timestamp (current timestamp). You can write the session entity key to another cookie in the user's browser. After you're done, redirect to the "next" URL.

After logout you can have a similar handler that checks for the session entity key cookie, deletes the entity, and deletes the cookie.

If you want to show the user that they are logged in from multiple locations, query for session entities associated with their Google Account that are less than 24 hours old (or whatever your cookie expiration is set to).

If you want to remotely log out another session, you might need to write your own version of the login_required decorator that Google offers in webapp.util. Your version would need to verify that the user is logged in, verify that sent a session key cookie, and verify that the associated entity still exists and is owned by the correct account.