I've been asked to look at converting our traditional client-server software into a web-based version (using PHP).
One of the first questions from management was how we'd limit the number of concurrent users, currently handled by our licence manager that every client connects to when running our apps.
My initials thoughts:
- Check the number of open sessions on the server (only with valid users that have logged in).
- Logging each login/logout to a DB table and counting them.
Is there a standard/best practice way of limiting the number of concurrent users who can log into a web app?
Best Answer
Be very very very careful with this. Make sure you have an idle session timeout and that you know what it is. Document it. Configurable would be great too.
The reason why this is dangerous on the web is that the lifecycle of a session is not as simple as it appears. People tend to evaluate sessions based on the happy path. User logs in, then logs out.
But some things to consider:
I have seen some of these concerns handled. It can be done. But it's complicated, so be warned.
If you choose the counting logins and logouts in the database approach, you still have some of the same problems. What if a user never logs out, but the session times out? I have seen this solved in Java EE by defining a SessionBindingListener, so that when a session times out, we can go to the database and invalidate their login. I'm not sure if PHP can do the same thing. As PHP code is only invoked when an HTTP request comes in, I doubt it can be done. But I am not a PHP expert.