Securely enforcing call to Meteor.logoutOtherClients


Looking around for an answer to this (and as mentioned explicitly in another post by @hwillson here Wrestling with Meteor.logoutOtherClients())
Accounts.onLogin doesn't need to be called in your Template; you can call it anywhere. Meteor.logoutOtheClients can only be called client side however.

If Meteor.logoutOtherClients can only be called client side, can’t the client theoretically modify the code and be able to login without logging out other clients?

I have an app where I want to enforce that when User A logs in, if anyone else was using A’s account, it would be logged out immediately upon A logging in.

How can I enforce that server side?



really enforcing something is always tricky with JS.
If you want to do it serverside, an approach that has been floated somewhere else is logging the IP-address or other client-specific data. If you check this on the server, you could log the client out when you see a change.
Another approach would be sending a cookie from the server. If you can no longer find it, log the client out.

Mark, though, that the logoutOtherClients works reasonably well. (I’m using it to kick students out of their account to prevent using the same payed account for multiple students.) If you a really doing something that where you are worried about people hacking mimified clientside code… there are probably other, easier attack-vectors?..




Gotcha thanks for the suggestions. Good to know I was not missing anything at least.