[Gametize Tech] Security: Disallow concurrent admin and player login

Implementation Pseudo Code

Current Features:

• To log player out if the same account is used to log into the admin portal.

• To log admin out if the same account is used to log into the player web/app (API).

Currently, we already have concurrent login/session enforcement but not a cross between admin and player login.

• For admin concurrent login control - It can be toggled via config table by key: ADMIN_CONCURRENT_LOGIN

• For player concurrent login control - It has to be manually configured on platform source code via Config.class by key ENABLE_MULTIPLE_DEVICE_SESSION

For the current concurrent session enforcement for API:

• API session data:

  • Active (1/0)

  • Logout (Timestamp - If have not logged out, it will be a null)

• When logging in via API:

  • We will update all the other the user’s session to inactive.

• When logging out:

  • We will update all the other the user’s session to inactive.

  • We will populate the Logout timestamp.

• When concurrent login is disabled:

  • CheckSession will validate session based on:

    • Session data is available and Logout timestamp is not null.

  • Session key is only invalid if Logout timestamp has been populated.

• When concurrent login is enabled:

  • CheckSession will validate session based on:

    • Session data is available and Logout timestamp is not null.

    • Session data is available and Active status is not 0.

General:

• We need to create new config in config table by key ADMIN_PLAYER_CONCURRENT_LOGIN

• By default: true (We allow concurrent login; minority request to be otherwise)

• Override the 2 current enforcement settings (Above) if value is false

• Meaning if enabled:

  • No concurrent admin login allowed

  • No concurrent player login allowed

  • No concurrent player and admin login allowed (If same account ID)

From Player Login Perspective:

• Upon successful login via API (Must cater standard, SSO and Social Connect)

• Step 1: Deactivate any other of the player current API session (1 unique valid API login only)

• Step 2: (If Redis is available) Terminate all of the admin current web session

From Admin Login Perspective:

• Upon successful login via Admin web portal (Must cater standard, SSO and Social Connect)

• Step 1: (If Redis is available) Terminate any other of the admin current web session (1 unique valid web session only)

• Step 2: Deactivate all the player current API session

Note:

The article's technical specifications and details are subject to potential changes based on our discretion. It is important to note that the information presented in the article might have become outdated or lost its relevance in the present context.

If you are interested to learn more about this, please drop an email to support@gametize.com with your queries regarding the article!