Session Limit and limit concurrent user logins

Hello to the community,
Are there tools or plugins that work with Plone 5 for:

  • limit connection time(Session Limit Plugin for exemple)
  • Limit concurrent user logins in Plone 5

As regards theSession Limit , it seems to me that "plone.session" can do the trick but it has some downsides.
If so, can it be installed via the buildout or can we only use the package
"Plone.session" with pip install plone.session?
In advance, I thank you for your help.

You can change the connection timeout without any plugins from the ZMI:

/your_plone_site_id/acl_users/session/manage_propertiesForm

--> Cookie validity timeout

and/or

--> Refresh interval

1 Like

You can use stick tables in haproxy if you use that to count number of logged in users to website and start denying them if there are too many.
Plone records login times so a plugin that compares how many logged in recently in order to deny a login would not be hard but I haven't seen such a plugin. It could be an additional feature to https://github.com/collective/Products.LoginLockout if you want to add it. I recently added denying logins based on src IP range.

1 Like

Thanks for the information.
I will look closely to use it.
This seems a priori simple to implement.

Thank you for informatioon and sugestions.
I tried to look closely at haproxy.
It seems to me a heavy to implement especially Windows and for my needs rather simple? I will try to watch it again.
Besides, it seems that the link that you propose to me does not work.
Thanks again.

Sure. I'm saying that to my knowledge there is no out of the box solution for you so you will have to do some work to achieve the what you are after. It's not a common request to want to limit the number of simulataneous users since normally you just setup a server with enough capacity to handle the number of requests and logged in requests are something that plone handles fine normally.

A note about haproxy. If you intend to run a server that can handle more than a small amount of traffic then you will need some load balancer as Zope/Plone does not come with one builtin. I'm not sure what you were intending to use but haproxy is the most common choice among plone administrators. I recently implemented a similar usecase to prevent single users using up too many resources for a multi-site platform in Plone. I did this using stick tables and will put this into production soon. It's a few lines in your haproxy config. But if you aren't using haproxy then I'd look at what your load balancer might offer in terms of similar functionality. Getting Plone to do the same thing will require a lot of writes to the database which would have performance impacts.

Hello Dylan and the whole community.
Thank you for your explanations and your help.
I realize through your answer that I did not specify what I wanted.
Indeed, it is not a question of limiting the number of people who connect to the site in general.
Rather, it's about setting up, a solution to enforce only one simultaneous login per authenticated user in Plone.
I think that such a solution existed before Plone 4: "Products.NoDuplicateLogin".
But it does not work since plone 4, let alone with plone 5.
The goal is to avoid that with a single login and password we can have multiple simultaneous connections under plone 5.
Thank you again for all the time you take to explain me.

You can't do similar functionality with haproxy stick tables because it can only see plones session cookie which would be different for each login even if using the same login id. You could achieve it with a plugin that also stored the userid in a cookie in addition to the session cookie. Then you could have rule that redirects the user if more than one entry is in the stick table with the same userid but different session cookie.

My advice would be to pay someone update that plugin if you don't have the skills yourself. I would start by creating a ticket in github and see if anyone of the previous contributors is interested.

It looks like someone has already requested an update - https://github.com/collective/Products.NoDuplicateLogin/issues/1. I would start contacting contributors directly.

The chances are the work required to make it work is minimal.

Hello Dylan,
Thank you so much for your response.
I am very sorry that I couldn't answer you earlier.
Constraints kept me away from plone. This is why I haven't been on the site for a while.

Plone Foundation Code of Conduct