Documentation

Warning & Disclaimer

Simultaneous Login Killer (SiLK) has an option to automatically deactivate acoounts of users who might be sharing their login credentials. Emphasis is on "MIGHT". Extreme care is advised if you choose to use that option.

Under certain circumstances, legitimate behavior might get the user's account deactivated. For example if a user logs in their account from different devices, to SiLK it will look like different users. It is then important that you use sensible settings for the automatic deactivation feature or that you disable it altogether.

A setting such as: "deactivate the account if 5 double logins have been flagged in 1 month" is sure to make many users very upset at you. A user who logs in alternatively from their desktop, their laptop, or their mobile will get deactivated very quickly.

A more sensible setting would be: "deactivate the account if 5 double logins have been flagged in 30 minutes." We can then assume that 2 different users might be using the account at the same time. This is of course just an example not to be taken litterally.

Ultimately it is up to you to use that automatic deactivation setting or not; and to use it wisely and sensibly.

IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

How it works

  • User A logs in as "userA". A session ID "SessionA" (simplified example) is created and saved.
  • User B logs in as "userA". A session ID "SessionB" (simplified example) is created and saved, overwriting "SessionA".
  • User A tries to load a page on your site, SiLK catches them and logs them out.
  • User B can browse around the site as normal... unless...
  • User A logs in again as "userA". Their new session ID, SessionC is stored and overwrites SessionB.
  • Now user B would be logged out if they load another page.
  • Every time User A or User B is logged out the number of logout is recorded.

Requirements

This add-on requires PHP 5.3 and above. It will not work with PHP 5.2 and below.

Options & Settings Turning SiLK on & off

SiLK can be totally turned off and is by default. Don't Forget to turn it on.

Excluding Groups

It is recommended to exclude at least the Administrators group from being logged out continuously but it really depends on each website's specific characteristics. In any case, the main Admin (Super User) will not be flagged and logged out.

Redirecting on Logout

When a user is logged out the default behaviour depends on the situation:

  1. The user was viewing a public page when logged out:
    The user remains on the page.
  2. The user was viewing a private page when logged out:
    The user is taken to the log-in page.

Alternatively, you can use this setting to redirect the user to any page of your choice.

Account deactivation

See Warning & Disclaimer above.

Deactivation timing

You can set accounts to be deactivated after a certain number of simultaneous logins in a certain time span.

If you leave the time field empty, the system will only take into account the number of logouts and not the time span. Say you set the number to 5, the account will be deactivated after 5 logouts whatever the time span.

As expressed in Warning & Disclaimer above, you should be careful with the values you put in these fields.

Fair warning

Some time before deactivating an account you can choose to give the user a fair warning. The warning will be a modal popup with a heading, a text, and a captcha to solve before being able to close the popup just to make sure they pay attention.

You choose how many logouts should happen before the warning (within the same time span set for deactivation) and you write a heading and a message for the popup, both optional

Default warning

The default warning to the user reads:

Heading: Suspicious Activity Detected!

Dear {User name},

it seems your account is being used by more than one person. As a result you and those other users have already been logged out {Number of logouts} time(s) in less than {Time frame}.

If this goes on, we will have no choice but to deactivate your account.

If you feel this warning is unjustified and you have no knowledge of others using your login credentials, please contact us as soon as possible to allow us to deal with the situation accordingly.

Thank you for your understanding.

Notification Emails

Whenever an account is deactivated, you can choose to have emails sent to the account's owner and to the Admin. Both are optional.

If you choose to send an email to the account's owner, you have the choice between the default template and writing your own email. Simply leaving the email message field empty will force the system to use the default template.

Default emails

The default email to the user reads:

Subject: Your {site's name} account was deactivated

Dear {User name},

Following what appears to be the repeated use of your account by a third party, we have decided to deactivate it to prevent its fraudulent use by others.

Please contact us as soon as possible through the site {site's address} to deal with this matter.

Thank You!

Email and warning text variables

If you write custom email and warning messages, there are 4 variables for emails and 3 for warnings that you can use in your text. These variables will be automatically replaced by their value when the email is sent or the warning is shown. These variables are:

  • !!userName!!
    Automatically replaced by the user's name.
  • !!userEmail!!
    Automatically replaced by the user's email.
  • !!nbrLogouts!!
    Automatically replaced by the number of logouts for that user to date.
  • !!timeFrame!!
    Automatically replaced by the time frame you set in the deactivation parameters.

Redirecting on deactivation

When a user's account is deactivated the default behaviour is the same as when logged out since the user will be logged out before the account is deactivated.

When attempting to log back in, Concrete5 will show a message stating that the account was deactivated;

Here you can specify a page to redirect the user to upon deactivation.

Delete user data

When a user is logged out or their account deactivated, data is saved for statistical purposes in a database table.

If you decide later on to delete that user account manually you can choose to keep or delete that statistical data.

If you keep it, when looking at SLK's statistics, those users will be presented as having been deleted to distinguish them from active users.