I am developing a website which authenticates it's users based on mobile number already registered in external application's database and allows further journey on the website. How do I avoid users to authenticate with same mobile number from two different devices at the same time. I am using django framework for website's development?.
Note: Django's auth model is not being used here. Also each session will timeout after 30 mins of inactivity, which is being handled by django-session-timeout library. Use of custom database and tables is allowed.
A simple solution would be to have an "active sessions" table that stores the users' unique identifier (seems to be the phone number in your case), Django's session key, and the timestamp. You would need to update the row every time user engages in your website (new page, new api request, etc.) so that you can understand if the session is active or not.
When another user wants to use the same phone number, you could check if there is a row, and check the timestamp. If the timestamp is relatively recent (30 mins seems like a good option for you since you drop sessions after 30 mins) then you could block the user to log in.