=== Vegestic - Users Login Limit ===
Contributors: vegesticsolutions, aqifaziz
Tags: login, sessions, security, concurrent login, user management
Requires at least: 5.8
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 1.0.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Control concurrent login sessions per user — set limits, track login history, and force logout from your dashboard.

== Description ==

**Vegestic - Users Login Limit** lets WordPress administrators control how many simultaneous login sessions each user can have. This is useful for shared accounts, subscription sites, membership sites, and any site where you want to prevent credential sharing.

= Key Features =

* **Session Limiting** — Set a maximum number of concurrent sessions per user. When the limit is reached, new login attempts are blocked until an existing session ends.
* **Login History** — Track up to 50 login and blocked-attempt records per user, with timestamps and status.
* **IP Address Logging** — Automatically records the IP address on each login event.
* **Location Detection** — Resolves the approximate geographic location from the IP address using free public geo APIs. Results are cached to minimize external requests.
* **Active Sessions View** — See all currently active session tokens for a managed user with login time and device information.
* **Force Logout** — Destroy all active sessions for a user with one click, right from the dashboard.
* **Custom Block Message** — Edit the error message shown on the login page when a user exceeds their session limit.
* **CSV Export** — Export a user's full login history to a CSV file from the User Details page.
* **Unlimited Protected Users** — Add as many users to the block list as you need.
* **GDPR / Privacy Ready** — Integrates with WordPress's built-in privacy data exporter and data eraser tools.

= How It Works =

1. Go to **Vegestic - Users Login Limit → Block Users** and add a user.
2. Set their session limit (e.g., 1 for a single device, 2 for two devices).
3. Enable the limit for that user.
4. From that point on, when the user tries to log in from more devices than their limit allows, they will see a block message and be prevented from creating a new session.

= Privacy =

This plugin records the following data for users on the protected list, stored in WordPress user meta (`wpll_login_meta`):

* Login timestamp
* IP address of each login
* Approximate geographic location derived from the IP (via free public geo-IP APIs)
* Browser user agent string
* Session token identifiers

**No data is sent to third-party services** unless you are using the geo-location feature, which makes outbound HTTP requests to free public APIs (ipapi.co, ipwho.is, freeipapi.com, ip-api.com) to look up an IP address's approximate location. These requests include the IP address being resolved and your site's URL as a User-Agent string, consistent with normal API usage.

Location results are cached as WordPress transients for 12 hours to minimise external API calls.

`add_filter( 'wpll_geo_api_providers', '__return_empty_array' );`

Users can request deletion of their session data through WordPress's built-in privacy tools (**Tools → Erase Personal Data**), or you can delete it manually via **Users → Edit User**.

== External Services ==

This plugin connects to free public IP geolocation APIs to resolve the approximate geographic location of a user's IP address. This occurs only when a user on the protected list logs in or is blocked from logging in. No requests are made to any external service for users not on the protected list, or if location detection is disabled.

The following data is sent to these services: the connecting user's IP address and your site's URL (included as part of the standard User-Agent header, consistent with normal WordPress HTTP API usage).

= ipapi.co =
Used for IP geolocation lookups.
* Privacy Policy: https://ipapi.co/privacy/
* Terms of Service: https://ipapi.co/terms/

= ipwho.is =
Used as a fallback IP geolocation provider.
* Privacy Policy: https://ipwhois.io/privacy
* Terms of Service: https://ipwhois.io/terms

= freeipapi.com =
Used as a fallback IP geolocation provider.
* Privacy Policy: https://freeipapi.com/privacy
* Terms of Service: https://freeipapi.com/terms

= ip-api.com =
Used as a fallback IP geolocation provider.
* Privacy Policy: https://ip-api.com/docs/legal
* Terms of Service: https://ip-api.com/docs/legal

Location results are cached as WordPress transients for 12 hours to minimise external API calls. Only valid, publicly routable IP addresses trigger an external lookup — private/local IPs are identified as "Local Network" without any outbound request.

You can disable all location lookups entirely by adding this to your theme's `functions.php` or a custom plugin:

`add_filter( 'wpll_geo_api_providers', '__return_empty_array' );`

== Installation ==

1. Upload the `vegestic-users-login-limit` folder to the `/wp-content/plugins/` directory, or install directly via the WordPress admin Plugins screen.
2. Activate the plugin through the **Plugins** screen in WordPress.
3. Go to **Vegestic - Users Login Limit → Block Users** to start adding users.
4. Optionally edit the login block message at **Vegestic - Users Login Limit → Login Message**.

== Frequently Asked Questions ==

= Does this work with any WordPress theme? =
Yes. The plugin works at the authentication level and is entirely theme-independent.

= Will this log out users who are already logged in? =
No. Existing sessions are not affected when you add a user or lower their limit. Only new login attempts after the limit is set are blocked. Use the **Logout All** button to clear existing sessions manually.

= Can I disable location tracking? =
Yes. Add this to your theme's `functions.php` or a custom plugin:
`add_filter( 'wpll_geo_api_providers', '__return_empty_array' );`

= Is user data exported for GDPR requests? =
Yes. The plugin registers with WordPress's privacy tools. Administrators can export or erase a user's login data via **Tools → Export Personal Data** and **Tools → Erase Personal Data**.

= What happens if a user is at their limit and tries to log in? =
They see the custom block message on the login screen and their login is rejected. The blocked attempt is logged in their history.

= Can I change the session limit per user? =
Yes. Each user in the block list has their own configurable session limit. You can update it from the Block Users table or from the User Details page.

== Screenshots ==

1. Dashboard overview showing managed users and active sessions.
2. Block Users page — add users and set individual session limits.
3. User Details page — view sessions, login history, IP and location data.
4. Login Message editor — customize the error shown to blocked users.

== Changelog ==

= 1.0.1 =
* Security: Geo-location transients are now only created for valid, publicly routable IP addresses. Private, reserved, and localhost IP addresses are resolved as "Local Network" without writing a transient, preventing any transient-flooding vector via spoofed request headers.
* Improvement: Reduced geo-location transient lifetime from 24 hours to 12 hours, limiting stale cache exposure while preserving the lookup-reduction benefit.
* Compliance: Updated ipwho.is and freeipapi.com third-party legal URLs to their current canonical forms in the readme.

= 1.0.0 =
* Initial public release.
* Session limiting per user with configurable limit.
* Login history tracking (up to 50 records per user).
* IP address logging on each login event.
* Location detection via free public geo-IP APIs (ipapi.co, ipwho.is, freeipapi.com, ip-api.com).
* Active sessions view with force-logout option.
* Custom login block message editor.
* CSV export of login history.
* GDPR-compliant privacy data exporter and eraser.
* Full i18n support with translatable strings.

== Upgrade Notice ==

= 1.0.0 =
Initial release.
