Disable Concurrent Logins to ViewX

ChrisHinton · ‎2025-06-06

Hi all,

We are looking at forcing users to only one ViewX session and would like to disable concurrent logins for users (I'm sure its more complicated under the bonnet) to only one ViewX session to prevent multiple logins.

I appreciate ViewX probably has multiple connections back to the server, but we are hoping to limit it to 1 ViewX session.

I've seen similar questions on here, but not sure what anyone else has tried / been successfull ?
(example: Multiple People Not Logging In To The Same Account At The Same Time - Schneider Electric Community)

We don't use AD logins and only utilise ViewX - has anyone tried anything quickly and dirty like logic looking for 'Logged In' events and disabling users if you see two in a row without a 'logged off' event or similar (I'm sure this will have many pit falls).

BevanWeiss · ‎2025-06-09

There's no particularly easy way that I can think of to do this.

It would probably want to involve VB Scripting on a 'default mimic' that all users are first directed to.

That VB Scripting would somehow have to work out that this is the 'non first' connection and then it could just force a LogOff action.

If it is a legit connection, then it could just re-Navigate to the proper user page (you might need to create a new Metadata field on the CUser table to hold the 'Real Default Mimic'.. to restore some of the out of the box functionality of GeoSCADA.. where it lets users have custom first pages).

I'm not sure if you could easily work out if you're not the first connection though. I don't think there's like a 'connection count' that is available anywhere accessible to the ViewX clients.

IP address might be an option. I think if there's only one connection then it's a valid IP / hostname shown.. if there's multiple, then I think it's blank. But I'm unsure of whether it goes from blank back to a valid IP/hostname on a logoff...

You'll want to look through the CUser table data to check on what might be possible.

It might be something that is sufficiently 'cyber security happiness' that if you put it forward as a feature request then it might get picked up and implemented. I'd think like a tick-box on the User which would 'Disallow Multiple Sessions', and the GeoSCADA Server could disallow LogOns for that account if there is already an active Connection which is logged in under that account.

Although there might be gotchas to it, i.e. if an IP/port changes for some reason (like network glitch) then that account would be locked out for a period of time until the prior connection expires (which might be several minutes.. even worse if there's some kind of proxy that keeps the TCP connection alive).

Lead Control Systems Engineer for Alliance Automation (VIC).
All opinions are my own and do not represent the opinions or policies of my employer, or of my cat..

ChrisHinton · ‎2025-06-10

Bevan,

thanks for your thoughts, there's a good amount of script + then logic I could utilise here, and hopefully not make it too janky.

I'm sure I could use the 'Last login time' + 'last logoff time' vs Now() quite a bit to figure out if this is their only session, but I'm still going to have to disable their user (on both attempted sessions I think).

I've luckily already got some script that stores metadata against users (to detect location) on the landing pages so shouldn't be too bad to shove something together....

Cheers,

Chris

gabarit · ‎2025-06-11

Hi,

Logout on Inactivity

Maybe this will help you

ChrisHinton · ‎2025-06-12

Gabarit,

Thanks for the reply, but sadly we already utilise this and doesn't stop two concurrent logins that are both active.

Cheers,

Chris

AdamWoodlandToo · ‎2025-06-17

There really isn't an easy way to do this, the problems are compounded with the fact that users can connect to multiple systems, and multiple servers within each system, and users move servers when servers change roles. Feeding the logon data back to the Main means that any reads, when connected to a Standby, is about 5 seconds too old to be "valid".

Whatever you may come up with the properties on CDBUser such as IsLoggedOn, LastLogonTime and PreviousLogoffTime you're going to find ways around it. You might have some success with CurrentNamedWkstns and counting those, but then you add a whole level of administration with each possible workstation requiring a unique name defined in Configure Connections.

Detecting is the first hurdle, then what do you do about it? If at logon then your homepage could have a script that works it out and logs you out, but what happens if the concurrency is detected later? Can't disconnect a user session sadly, disabling and renaming a user's object is going to cause issues.

As Bevan mentioned above, certainly worth raising as a feature request (has been discussed many times before, more people who raise it more likely for it to be implemented), especially as IEC62443-3-3 SR 2.7 has this as a requirement for anything SL 3 or 4.

sbeadle · ‎2025-06-18

Note - as a suggestion, this is a way to inform a user that another login to the same user was successful elsewhere on the system so that a user who did not expect it could report the issue:

'Add this code only in the home page for a client, not to be displayed at other times
'(You can make the users home page 'chain' to display another 'real' home page display after running this code).
sub Mimic_Load()
	Sleep( 500)
	u = Server.Username
	
	q = "SELECT FullName FROM CDBUSER WHERE Name = '" & u & "'"
	set r = Server.Query( q)
	rows = r.Rows
	f = rows(0,0)
	set a = Server.FindObject(f)

	'Send a message - this will inform ALL sessions for this user name
	a.interface.NotifyUser "Security Check", "User " & u & " logged in at " & Time & ". Did you expect this?"
	'Custom message code can be in the OnMessageReceived function in the Global Script for a client. 
end sub

Disable Concurrent Logins to ViewX

Disable Concurrent Logins to ViewX

This is a heading