Simultaneous Login Killer (SiLK) has an option to automatically deactivate acoounts of users who might be sharing their login credentials. Emphasis is on "MIGHT". Extreme care is advised if you choose to use that option.
Under certain circumstances, legitimate behavior might get the user's account deactivated. For example if a user logs in their account from different devices, to SiLK it will look like different users. It is then important that you use sensible settings for the automatic deactivation feature or that you disable it altogether.
A setting such as: "deactivate the account if 5 double logins have been flagged in 1 month" is sure to make many users very upset at you. A user who logs in alternatively from their desktop, their laptop, or their mobile will get deactivated very quickly.
A more sensible setting would be: "deactivate the account if 5 double logins have been flagged in 30 minutes." We can then assume that 2 different users might be using the account at the same time. This is of course just an example not to be taken litterally.
Ultimately it is up to you to use that automatic deactivation setting or not; and to use it wisely and sensibly.
SiLK can be totally turned off and is by default. Don't Forget to turn it on.
It is recommended to exclude at least the Administrators group from being logged out continuously but it really depends on each website's specific characteristics. In any case, the main Admin (Super User) will not be flagged and logged out.
When a user is logged out the default behaviour depends on the situation:
Alternatively, you can use this setting to redirect the user to any page of your choice.
See Warning & Disclaimer above.
You can set accounts to be deactivated after a certain number of simultaneous logins in a certain time span.
If you leave the time field empty, the system will only take into account the number of logouts and not the time span. Say you set the number to 5, the account will be deactivated after 5 logouts whatever the time span.
As expressed in Warning & Disclaimer above, you should be careful with the values you put in these fields.
Some time before deactivating an account you can choose to give the user a fair warning. The warning will be a modal popup with a heading, a text, and a captcha to solve before being able to close the popup just to make sure they pay attention.
You choose how many logouts should happen before the warning (within the same time span set for deactivation) and you write a heading and a message for the popup, both optional
The default warning to the user reads:
Whenever an account is deactivated, you can choose to have emails sent to the account's owner and to the Admin. Both are optional.
If you choose to send an email to the account's owner, you have the choice between the default template and writing your own email. Simply leaving the email message field empty will force the system to use the default template.
The default email to the user reads:
If you write custom email and warning messages, there are 4 variables for emails and 3 for warnings that you can use in your text. These variables will be automatically replaced by their value when the email is sent or the warning is shown. These variables are:
When a user's account is deactivated the default behaviour is the same as when logged out since the user will be logged out before the account is deactivated.
When attempting to log back in, Concrete5 will show a message stating that the account was deactivated;
Here you can specify a page to redirect the user to upon deactivation.
When a user is logged out or their account deactivated, data is saved for statistical purposes in a database table.
If you decide later on to delete that user account manually you can choose to keep or delete that statistical data.
If you keep it, when looking at SLK's statistics, those users will be presented as having been deleted to distinguish them from active users.