By: Bikash
August 7 2018

Track Your User Sessions With Drupal Session Limit

To ensure that only the authenticated user has access to the website content and there are no parallel sessions going, Drupal offers Session Limit module. It imposes the limits on the number of total sessions that may be established, to the discretion of the admin. These limits are what are known as Session Limits.

A user can log in multiple times and have several instances running at the same time. In order to restrict a user from doing so, we can use the Session Limit module where we can set the maximum login instances from the same user.

In this article, we will learn how to set up Session Limits along with the distinct features of it.

Why Should You Care About Session Limit?

Session limits are important, depending on the setup and website content. It ensures that only a single user stays on the system with a single login per device (where the user could log in on his work laptop, phone, or home computer). This is important from the security perspective since it informs the user of any concurrent session that may be going on. 

When a user logs in and their login results in other users being logged out, the session limit has been reached and those users who are logged out are notified as to why the logout occurred.

The session limit forces the user to log out of any extra sessions after they exceed the administrator-defined maximum. 

How Does It Work?

Take for example that the admin has set the limit for 1 session per user into her Drupal website, the said user can only sign in from 1 browser at a time. If the user tries to sign in from a second browser either she will be asked to log off from the previously logged in device or prematurely end their new login session. 

Here are some Must Have Security Modules For Your Drupal Website

Likewise, you can set the maximum number of simultaneous sessions. It gives you a chance to permit just a single session per client. This way you can also secure the client’s account. 

Following are the features that the module provides:

  • On login, log out the oldest session without prompting (optional)
  • At login, prevent login if an existing session exists elsewhere (optional)
  • Notify old session about the disconnect
  • Configure any number of max allowed sessions
  • Configure session limiting exclusions by role
  • Configure session limiting exclusions by user
  • New user session prompted to select which session to disconnect
  • Implements hook on the collision
  • Implements hook on the disconnect
  • Implements triggers and compatible with rules
  • Integrates with token module
  • Disregard Masqueraded user sessions in max session counter (optional)

Using the Drupal Session Limit Module

Installing and Enabling the Module

  • Using UI

Navigate to Manage → Extend → Install new module and enter the .tar.gz or .zip URL of the module (from Drupal.org) and hit Install.

Once the downloader and installer are finished downloading, click on “Enable newly added modules”.

Find Session Limit in the list of modules, select it and click on Install.

  • Using Composer

Add Session Limit package using composer 

$ composer require "drupal/session_limit"

Enable the module by navigating to Manage → Extend, selecting Session Limit and click Install

After enabling the module, navigate to: 

Home > Administration > Configuration > People > Session Limit

  • The very first option would allow us to set the maximum number of active sessions that a user can have at a given time. A user would who tries to surpass the set limit would be restricted from doing so.
    Setting the default active session and the action when limit is exceeds.
    Setting the default active session and the action when limit exceeds.

     

  • The second option would be triggered if the default session limit has been exceeded. This part presents the user with an option out of three options where:
    • Would ask the user to log out of previous sessions.
    • Would automatically terminate previous sessions.
    • Prevent creation of new sessions.
       
  • The third specifies the severity of the logged out message which ranges from no message to an error as shown in the figure below.
    The severity of the logged out message.
    The severity of the logged out message

     

  • The role limits part contains limits which can be set by role viz.; Authenticated user and Administrator. They both contain a drop-down menu from where limits can be chosen. 
    Setting limit for Administrator and Authenticated user
    Setting the limit for Administrator and Authenticated user.

     

The Drupal 8 version of the module is in beta and some of the features are to be expected only in future updates. In case of any query feel free to add it in the comments below.

Bikash is fond of lines of code that does magic. He loves listening to techno and is a budding car-geek. Likes spending his time browsing through tech sites. Bikash is a big-time Batman fan and believes that Batman can beat anyone.