BAD BUG: Multiple Simultaneous Logins by Same User Possible: Version 5.0.0b (Build 3

[ziziphus]

RE: Version 5.0.0b (Build 3150); XAMP: WindowsXP

This version of Sugar Community allows multiple, simultaneous, unrestricted logins to all accounts ... from multiple IP's, machines, and domains ! That is, it allow lots of clients to login to the same account all at the same time !

IS THERE SOMETHING WE ARE MISSING HERE ?

There is nothing under the Admin tab that addresses this problem, or in the documentation, as far as I can find.

Thanks

[Angel]

I wouldn't classify this as a bug.

For one, it is not unusual for an application to allow this type of behavior, not justifying it, just pointing out that there is a need for it for which other vendors have allowed it to exist as well.

I can think of a couple of reasons why you would want to restrict the logins...

For example, suppose I am a help desk technician and my work in Sugar involves working with the Cases module. Several different cases are assigned to me throughout the day. I make my rounds through the office addressing the various issues. Rather than handwriting my notes for the resolution or what I may need (e.g. computer parts) for each case/computer, it is much more efficient if I can just pull up the case in Sugar and directly add my notes while at the workstation, or for that matter, from a Smartphone. Better yet, what if need to pull up some info from a similar Case to get to my solution?

If I am only allowed to login from one location, I have to remember to logout each time I leave a workstation, and if I don't, I am out of luck as far as being able to access Sugar again until I get back to where I last logged in.

What if I am 2 floors away from that workstation?

[ziziphus]

I wouldn't classify this as a bug.

For one, it is not unusual for an application to allow this type of behavior, not justifying it, just pointing out that there is a need for it for which other vendors have allowed it to exist as well.

I can think of a couple of reasons why you would want to restrict the logins...

For example, suppose I am a help desk technician and my work in Sugar involves working with the Cases module. Several different cases are assigned to me throughout the day. I make my rounds through the office addressing the various issues. Rather than handwriting my notes for the resolution or what I may need (e.g. computer parts) for each case/computer, it is much more efficient if I can just pull up the case in Sugar and directly add my notes while at the workstation, or for that matter, from a Smartphone. Better yet, what if need to pull up some info from a similar Case to get to my solution?

If I am only allowed to login from one location, I have to remember to logout each time I leave a workstation, and if I don't, I am out of luck as far as being able to access Sugar again until I get back to where I last logged in.

What if I am 2 floors away from that workstation?

I don't think you read my tread correctly. This version of Sugar allows SIMULTANEOUS logins to the same account. This is a serious problem which can result in an inestimable number of data and security problems. No application allows this ! The entire purpose of logins is so that a user must logout from an account, before a new session for the same user can log back in.

[Angel]

I don't think you read my tread correctly. This version of Sugar allows SIMULTANEOUS logins to the same account. This is a serious problem when can result in an inestimable number of data and security problems. No application allows this ! The entire purpose of logins is so that a user must logout from an account, before a new session for the same user can log back in.

My reply was in response to your specific point about simultaneous logins.

While you may not be aware of any apps that allow for this, that doesn't mean they don't exist. I have two that behave in that exact manner installed on my system right now. In fact, one of them even tells me that I am already logged in elsewhere if I login simultaneously from another machine.

Perhaps you should consider doing a little more research.

In any case, good luck finding a solution.

[coreyfournier]

Wake up!!

Lots of applications allow this.
Its not worth the over head to keep track of this. 1 user should only be allowed to know 1 password. It is your fault for allowing the several users to know several passwords

[ziziphus]

The following historic thread indicates that this issue has been a problem in past versions, and has been a point of contention: http://www.sugarcrm.com/forums/showthread.php?t=10889

A Sugar Hero previously working on the problem stated: "The fact that the same user/password can be used on 2+ different IPs is behavior we deliberately code against." A Senior Member said: "If the your users are logging-in from different IPs, then this is a bug. Every page render compares sessions, login info on the DB side, and some other internal security measures". This was presented in the contest of "logins at the same".

This may be a particular problem for MySQL connections, and other relational databases, because transactions are serialized, often using the application's client-state/session variables for this purpose. It could certainly create convolution and terrific confusion in any user session logs. Also, when a user logs into most applications, session variables are serialized and locked to prevent corruption by other users.

It would appear that research needs to be conducted to see how this problem crept in, and how, if ever, it was solved in the past.

As web developers we have never seen an application that allows simultaneous logins to the same account from diverse locations. This makes tracking and control of legitimate users virtually impossible. It allows others using the same account to accidentally step on other users and potentially corrupt their records. While they view one screen, remote users, using the same account, may be making changes in the background.

When a user attempts to login to an account already in use, most applications display a warning message and a button to close the other open session, e.g., C o n c o u r s e S u i t e (CRM), Windows, Linux, etc.

It is imperative in a multiuser environment that each user be assured that he is viewing and working with current data at all times, and that such data and information is not be manipulated in the background by another user simultaneously logged in from a different location. That's why applications typically do not allow this. Who would want multiple users to be able to invisibly login (in the background) to their windows account, change files and settings in the background, and conduct network business with their credentials? This is but one small example of the magnitude of this issue.

[ziziphus]

Wake up!!

Lots of applications allow this.
Its not worth the over head to keep track of this. 1 user should only be allowed to know 1 password. It is your fault for allowing the several users to know several passwords

For your very first post on this forum you are not doing very well. "Wake up" is not a very polite beginning and is not likely to win much consideration from me, other than what follows:

It seems that so few people ever speak to the problem or question being presented. Too many blindly, and without offering any factual basis whatsoever, simply defend the application and then make obnoxious comments. It's OK to disagree, if it can be done rationally. And it's certainly good to debate the points and merits from various viewpoints.

Concerning the problem, you said "Lots of applications allow this". So let me put your comment in perspective for you:

NAME ONE WELL-KNOWN APPLICATION, WEB OR OTHERWISE, (aside from SUGAR) THAT ALLOWS TWO SIMULTANEOUS LOGINS FROM DIFFERENT LOCATIONS USING THE SAME ACCOUNT, WHILE ALLOWING THE THE FIRST LOGIN SESSION TO BE KEPT ALIVE ?

I'll be waiting.

[JVWay]

When a user attempts to login to an account already in use, most applications display a warning message and a button to close the other open session, e.g., C o n c o u r s e S u i t e (CRM), Windows, Linux, etc.

.

Hmm, I'm doing this in Salesforce right now. In fact I'm logged in from two separate PC's on my network and another completely off my network from a remote connection. Seems like if it was such an issue Salesforce would have prevented it.

Are you also seriously contending that I can't be logged into simultaneous sessions of Windows and Linux. As a system admin that would be completely unacceptable. I couldn't install more than one system at a time. Old Novell systems use to allow you to set limited number of logins but you could change the number or make it unlimited. We've used multiple wiki's here and I can be logged in a number of times. I manage a huge number of users on a very complex questionnaire writing system that I can easily be logged in any number of times; simultaneously.

A well written system will manage the connections and save the records just fine. I think you're off base with your concern here.

[clint]

This is not a bug. We allow multiple logins of the same userid from different IP addresses at the same time.

However, we do kill a session if an IP address changes during the session.

[Angel]

Thanks for the definitive answer on this matter Clint.

I am happy to see that Sugar does not consider it a bug either.