Kaveh Yzd Kaveh Yzd - 1 month ago 12
PHP Question

Detecting duplicate logins in Symfony's FOSUserBundle

i'm using the FOSUserBundle in my Symfony project and i need to remove duplicate logins. If a user logs in from a different system, I want his/her other session to be disconnected.

Can you please help me on my way?

Answer

The easy way:

Map an activeSessionId field to your User class:

/**
 * @ORM\Entity
 * @ORM\Table(name="fos_user")
 */
class User extends BaseUser
{
    /**
     * @ORM\Id
     * @ORM\Column(type="integer")
     * @ORM\GeneratedValue(strategy="AUTO")
     */
    protected $id;

    /**
     * @ORM\Column(type="string", length=255, nullable=true)
     */
    protected $activeSessionId;

    public function loginWithSessId($sessionId)
    {
        $this->activeSessionId = $sessionId;
    }

    public function logout()
    {
        $this->activeSessionId = null;
    }

    public function getActiveSessId()
    {
        return $this->activeSessionId;
    }
}

Then listen to the security.interactive_login event that will be fired every time the user log in, and save a reference of the session id together with the user:

namespace AppBundle\Security;

use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\Security\Http\Event\InteractiveLoginEvent;
use Symfony\Component\Security\Http\SecurityEvents;
use FOS\UserBundle\Model\UserManagerInterface;

class LoginListener implements EventSubscriberInterface
{
    private $userManager;

    public function __construct(UserManagerInterface $userManager)
    {
        $this->userManager = $userManager;
    }

    public static function getSubscribedEvents()
    {
        return array(
            SecurityEvents::INTERACTIVE_LOGIN => 'onSecurityInteractiveLogin',
        );
    }

    public function onSecurityInteractiveLogin(InteractiveLoginEvent $event)
    {
        $user = $event->getAuthenticationToken()->getUser();
        $session = $event->getRequest()->getSession();

        $user->loginWithSessId($session->getId());
        $this->userManager->updateUser($user);
    }
}

You can then register the listener with:

<service id="app_bundle.security.login_listener" class="AppBundle\Security\LoginListener">
    <argument type="service" id="fos_user.user_manager"/>
    <tag name="kernel.event_subscriber" />
</service>

or

# app/config/services.yml
services:
    app_bundle.security.login_listener:
        class: AppBundle\Security\LoginListener
        arguments: ['@fos_user.user_manager']
        tags:
            - { name: kernel.event_subscriber }

Now that your User entity know which session is the last one, you can creare a listener to the security.authentication.success event, and check if the current session id match with the last active one. If it doesn't, then it's not an active session anymore.

namespace AppBundle\Security;

use Symfony\Component\Security\Core\AuthenticationEvents;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\Security\Core\Event\AuthenticationEvent;
use Symfony\Component\HttpFoundation\RequestStack;
use FOS\UserBundle\Model\UserManagerInterface;

class AuthenticationListener implements EventSubscriberInterface
{
    private $requestStack;
    private $userManager;

    public function __construct(RequestStack $requestStack, UserManagerInterface $userManager)
    {
        $this->requestStack = $requestStack;
        $this->userManager = $userManager;
    }

    public static function getSubscribedEvents()
    {
        return array(
            AuthenticationEvents::AUTHENTICATION_SUCCESS => 'onAuthenticationSuccess',
        );
    }

    public function onAuthenticationSuccess(AuthenticationEvent $event)
    {
        $token = $event->getAuthenticationToken();
        $sessionId = $this->requestStack->getMasterRequest()->getSession()->getId();
        $activeSessId = $token->getUser()->getActiveSessId();

        if ($activeSessId && $sessionId !== $activeSessId) {
            $token->setAuthenticated(false); // Sets the authenticated flag.
        }
    }
}

Finally:

<service id="app_bundle.security.auth_listener" class="AppBundle\Security\AuthenticationListener">
    <argument type="service" id="request_stack"/>
    <argument type="service" id="fos_user.user_manager"/>
    <tag name="kernel.event_subscriber" />
</service>

or

# app/config/services.yml
services:
    app_bundle.security.auth_listener:
        class: AppBundle\Security\AuthenticationListener
        arguments: ['@fos_user.user_manager']
        tags:
            - { name: kernel.event_subscriber }