Skip to main content

How to prevent multiple logins from the same user in asp.net

Preventing a User From Having Multiple Concurrent Sessions in asp.net

Previously I was Explained about the How to remove rows from GridView using jQuery in asp.net, Nested GridView in ASP.NET Using c# with show/hide ,  How to Add a Locked Header Row to an ASP.NET GridView Control ,  How to remove rows from GridView using jQuery in asp.net , Popup window on button click in asp net

We implemented a system for this along the following lines:
  • Added a property to the users Profile to hold their session ID.
  • Whenever a user logs in, store their session ID in the Profile.
  • On any page that requires a this level of security, check to see if the session ID stored in the profile matches their session. This check could be performed in a custom AuthorizeRequest event handler, or it could be performed in a Base class that these pages derive from, and if not, redirect them to the login page.
We went for the base class option as we have two levels of authentication:
  1. The user has a cookie token to prove that they have logged in at some point in the past - this is fine for showing them restricted site content.
  2. The user has actually provided their login details this session - this is required when showing them any personal details (email addresses, preferences, saved job searches, etc).
The main issues you'll find with almost any system:
  1. Using the users IP address is unreliable - corporate users, those behind proxies, etc, often share an IP address, so would "appear" to be the same user.
  2. Relying on a user to log out is unreliable - the users computer/browser might crash not giving them the opportunity to log out, the user can/will forget to log out.
  3. Relying on session time-outs is unreliable - if you're not using InProc sessions, the SessionEnd event never fires, if your server crashes the event isn't called, etc.
The issues you'll find with a solution like mine are:
  1. It doesn't stop the second user logging in - instead it will lock out the first user, which should discourage sharing of details in the first place.
  2. If you don't implement this as an AuthorizeRequest handler you have to remember perform the check on the pages that should be locked down.
Responding to comment
In response to your specific queries:
  1. The default Profile Provider stores the data in the same SQL database as the membership provider (the tables are created along with the membership and roles tables). If you were to store it "in the cache" this would need to be the global application cache, along the lines KMan suggests in option 2 - and as pointed out the comments, you'd need to build a time-out for this, and that leads back to the issue of reliably determining this.
  2. The user doesn't log out: This is handled in our system by not locking out future users, but by locking out previously logged in users - so:
    • Alice comes to the site, logs in, starts browsing.
    • Bob comes to the site, and logs in with Alice's details, starts browsing.
    • Alice tries to continue browsing, is locked out, has to log in again.
    • Bob is now locked out.
    • etc.
At its most basic, this won't stop the users sharing their logins, but will cause them annoyance, forcing them to keep logging in. If you need to you can add a delay to the login process - so if a different session id attempts to log into the site within the session time-out (defaults to 20 minutes) or some other time, say based on the average time a user spends on a page, then deny the login attempt.

 Source From :



Comments

Popular posts from this blog

Asp.Net AjaxFileUpload Control With Drag Drop And Progress Bar

This Example explains how to use AjaxFileUpload Control With Drag Drop And Progress Bar Functionality In Asp.Net 2.0 3.5 4.0 C# And VB.NET. Previous Post  I was Explained about the   jQuery - Allow Alphanumeric (Alphabets & Numbers) Characters in Textbox using JavaScript  ,  Fileupload show selected file in label when file selected  ,  Check for file size with JavaScript before uploading  . May 2012 release of AjaxControlToolkit includes a new AjaxFileUpload Control  which supports Multiple File Upload, Progress Bar and Drag And Drop functionality. These new features are supported by Google Chrome version 16+, Firefox 8+ , Safari 5+ and Internet explorer 10 + , IE9 or earlier does not support this feature. To start with it, download and put latest AjaxControlToolkit.dll in Bin folder of application, Place ToolkitScriptManager  and AjaxFileUpload on the page. HTML SOURCE < asp:ToolkitScriptManager I...

View online files using the Google Docs Viewer

Use Google Docs Viewer for Document viewing within Browser I was looking for a way to let users see Microsoft Word Doc or PDF files online while using my application without leaving their browser without downloading files and then opening it to view with Word or PDF viewer . I was looking for some way out either via any PHP or Microsoft.NET libraries, did some googling on that; but later on I just got an idea that google already has all code written for me.. when I have any email attachment in PDF or DOC or DOCX google does it for me ..! Even while searching I can see PDFs by converting them in HTML. So I just googled it up and found that Google already has this ability that we can use Google Docs Viewer without any Google Account Login . YES that's true no Google Account login is required. It's damn simple and easy. Just pass document path as attachment as parameter and we are done. Google Docs Viewer gives us ability to embed PDF, DOC/DOCX, PPT, TIFF:...

How to send mail asynchronously in asp.net with MailMessage

With Microsoft.NET Framework 2.0 everything is asynchronous and we can send mail also asynchronously. This features is very useful when you send lots of bulk mails like offers , Discounts , Greetings . You don’t have to wait for response from mail server and you can do other task . By using     SmtpClient . SendAsync Method (MailMessage, Object)    you need to do  System.Net.Mail has also added asynchronous support for sending email. To send asynchronously, you need need to Wire up a SendCompleted event Create the SendCompleted event Call SmtpClient.SendAsync smtpClient.send() will initiate the sending on the main/ui  thread and would block.  smtpClient.SendAsync() will pick a thread from the .NET Thread Pool and execute the method on that thread. So your main UI will not hang or block . Let's create a simple example to send mail. For sending mail asynchronously you need to create a event handler that will notify that mail success...