Single session restriction

Nat, a few things:

- Can you review this to make sure it is correct?

- Can you provide the text to display in the login-form warning?

- Also, let's understand that the good guy (first login) and the bad guy (second login)
  can simply enter a login war, endlessly kicking the other out. (Unless the good guy
  changes the password.)

Message text:

To protect the security of your account KARL only allows one active user session at time. Your account has just been accessed from another browser or device, so this user session has been terminated. To resume this session, please log out of KARL on any other browsers or devices.

If you did not login to your KARL account from another device, your account may been compromised. To protect the integrity of your account we recommend that you immediately change your password (link to https://karl.soros.org/reset_request.html). If you have any questions or concerns contact the KARL support team at <email address hidden>.

-The KARL Team

-----

Open to comments on the text if you think I left anything important out.

Totally understand that the single active session rule doesn't protect the legitimate user from bad actors, but I'm hoping that the line in the message text about changing the password will at least help.

Thanks,
Nat

This is now on the suspicious_logins branch. Not that the text is too long to appear in the yellow alert box above the login form. I put just a fragment for now. Let me know how you wish to handle this.

I guess the two alternatives are:

- Have a different “alter”, just for the login box, maybe under the submit buttons

- Like the account locked change, we could redirect to a page that explained the situation

Is one easier than the other? (I suspect the first is a lot easier.)

—Paul

> On Nov 16, 2016, at 4:01 AM, Carlos de la Guardia <email address hidden> wrote:
>
> This is now on the suspicious_logins branch. Not that the text is too
> long to appear in the yellow alert box above the login form. I put just
> a fragment for now. Let me know how you wish to handle this.
>
> ** Changed in: karl4
> Status: New => Fix Committed
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1640545
>
> Title:
> Single session restriction
>
> Status in KARL4:
> Fix Committed
>
> Bug description:
> tl;dr Only allow one "device" (browser+computer) to be logged in
> simultaneously.
>
> Let's say someone is logged in. Then some bad guy logs in with their
> username. The first person should be notified immediately by getting
> kicked out of their login with a message saying there's a second
> login.
>
> Specs
>
> - This can likely use the work in the other ticket that has a "device"
> tracking cookie
>
> - We'll need a new field on the profile, to set the active "device"
>
> - Nat can provide the message that appears in the login form's message
> box explaining to the logged-out user the reason for the logout
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/karl4/+bug/1640545/+subscriptions

Went for option one. Also, fixed a bug. It's all on the branch now.