how to prevent multiple logins from the same user

Discussion in 'ASP .Net' started by anoj, Dec 28, 2004.

  1. anoj

    anoj Guest

    Hi All

    i need to prevent multiple logins from the same user at the same time.
    what is the best way to do this .

    How can i detect if a user closes the browser window without logging
    out so tht his/her id can be removed from the global list maintained
    for the looged in users


    Kindly help

    Regards,

    Anoj Kumar
     
    anoj, Dec 28, 2004
    #1
    1. Advertising

  2. anoj

    Hans Kesting Guest

    anoj wrote:
    > Hi All
    >
    > i need to prevent multiple logins from the same user at the same time.
    > what is the best way to do this .
    >
    > How can i detect if a user closes the browser window without logging
    > out so tht his/her id can be removed from the global list maintained
    > for the looged in users
    >
    >
    > Kindly help
    >
    > Regards,
    >
    > Anoj Kumar


    There is no "configuration setting" for this, you have to build it yourself.
    You need to maintain a global list of "logged in users". If someone tries
    to log in, check against this list and display a "already logged in"
    message.
    You need to add code to the Session_End event handler to remove
    users from this list if their session expires (when they just left the site/closed
    their browser instead of logging out).

    Be careful: users that had a browser-crash that prevented them from logging out,
    now need to wait 20 minutes before they can access your site again!
    The fact that your user is logged in in some session that he/she can't log out
    of, doesn't have to be his/her fault!

    Hans Kesting
     
    Hans Kesting, Dec 28, 2004
    #2
    1. Advertising

  3. anoj

    bruce barker Guest

    there is no reliable way to detect browser close, or if the user just
    navigated to another site.

    your best option is to use a ticket system. when the user hits a page, give
    out a ticket (in a hidden field) and test for it on postback. allow only one
    active ticket per user. you can also timeout the ticket, and require a new
    login. if the user requests a new page, cancel the old ticket, and assign a
    new ticket. this handles the user closing the browser or navigating away
    from yor site, then coming back.

    -- bruce (sqlwork.com)


    "anoj" <> wrote in message
    news:...
    | Hi All
    |
    | i need to prevent multiple logins from the same user at the same time.
    | what is the best way to do this .
    |
    | How can i detect if a user closes the browser window without logging
    | out so tht his/her id can be removed from the global list maintained
    | for the looged in users
    |
    |
    | Kindly help
    |
    | Regards,
    |
    | Anoj Kumar
    |
     
    bruce barker, Dec 28, 2004
    #3
  4. You can write a HttpModule and update a datastore with a timestamp and the
    ip address per user on every request and check on AuthenticateRequest if the
    user matches or a defined time has expired the users session.

    --
    Daniel Fisher(lennybacon)
    MCP ASP.NET C#
    Blog: http://www.lennybacon.com/


    "anoj" <> wrote in message
    news:...
    > Hi All
    >
    > i need to prevent multiple logins from the same user at the same time.
    > what is the best way to do this .
    >
    > How can i detect if a user closes the browser window without logging
    > out so tht his/her id can be removed from the global list maintained
    > for the looged in users
    >
    >
    > Kindly help
    >
    > Regards,
    >
    > Anoj Kumar
    >
     
    Daniel Fisher\(lennybacon\), Dec 28, 2004
    #4
  5. "Daniel Fisher(lennybacon)" <info@(removethis)lennybacon.com> wrote in
    message news:...
    > You can write a HttpModule and update a datastore with a timestamp and the
    > ip address per user on every request and check on AuthenticateRequest if
    > the user matches or a defined time has expired the users session.


    The IP address is subject to change without notice between connections. What
    if the user winds up switching which proxy server is being used, or if the
    network gets reconfigured some other way?

    If you want a value to use as a unique identifier of a machine, then send
    that machine a GUID in a cookie. Then it won't matter how the network
    changes out from under you.

    John Saunders
     
    John Saunders, Dec 28, 2004
    #5
  6. I am sorry but I need the 101 version of this.
    Another use suggested adding code to the Session_End event. This makes sense
    but I don't see the Session_End event in the list of available events to add
    in the Init from HttpApplication.
    When you mention a user "hitting" a page do you mean begin request? How do I
    know what the user is at that point? How do I "give out a ticket" in a hidden
    field. I am assuming that this involves modifying the "normal" response page
    generated for the request. Where would be the best place to do this?
    From another post I read that the HttpApplication class is pooled and the
    HttpModules are created from HttpApplication class as specified in
    web.config. Based on this information there doesn't seem to be a global place
    to reliably keep state for the application. Right?

    Thank you for your input.

    Kevin

    "bruce barker" wrote:

    > there is no reliable way to detect browser close, or if the user just
    > navigated to another site.
    >
    > your best option is to use a ticket system. when the user hits a page, give
    > out a ticket (in a hidden field) and test for it on postback. allow only one
    > active ticket per user. you can also timeout the ticket, and require a new
    > login. if the user requests a new page, cancel the old ticket, and assign a
    > new ticket. this handles the user closing the browser or navigating away
    > from yor site, then coming back.
    >
    > -- bruce (sqlwork.com)
    >
    >
    > "anoj" <> wrote in message
    > news:...
    > | Hi All
    > |
    > | i need to prevent multiple logins from the same user at the same time.
    > | what is the best way to do this .
    > |
    > | How can i detect if a user closes the browser window without logging
    > | out so tht his/her id can be removed from the global list maintained
    > | for the looged in users
    > |
    > |
    > | Kindly help
    > |
    > | Regards,
    > |
    > | Anoj Kumar
    > |
    >
    >
    >
     
    =?Utf-8?B?S2V2aW4gQnVydG9u?=, Dec 30, 2004
    #6
  7. My suggestion would be to keep track of the current sessionID and last page
    request time for the user in a datasource record.

    In the Authentication_Request event in the Global.asax, if the user is
    authenticated you would write the current time and sessionID to the record.
    Prior to that in the same event, you would check to see if there is an entry
    for the same user that has 1) a different sessionID, and 2) if the
    difference between the current time and the last entry is greater than the
    timeout period.

    If there is a time entry difference that is less than the timeout, and the
    sessionID is different, deny the authentication, otherwise let it through
    and write the entry with the new time and SessionID.

    In the Session_End event, set the time in the datasource record to a date
    and time sometime way in the past (1/1/1900 0100 AM) for any record with the
    SessionID in that event.

    I'm sure there are a number of ways to do it, but I think this would work.

    -Darrin

    "Kevin Burton" <> wrote in message
    news:...
    >I am sorry but I need the 101 version of this.
    > Another use suggested adding code to the Session_End event. This makes
    > sense
    > but I don't see the Session_End event in the list of available events to
    > add
    > in the Init from HttpApplication.
    > When you mention a user "hitting" a page do you mean begin request? How do
    > I
    > know what the user is at that point? How do I "give out a ticket" in a
    > hidden
    > field. I am assuming that this involves modifying the "normal" response
    > page
    > generated for the request. Where would be the best place to do this?
    > From another post I read that the HttpApplication class is pooled and the
    > HttpModules are created from HttpApplication class as specified in
    > web.config. Based on this information there doesn't seem to be a global
    > place
    > to reliably keep state for the application. Right?
    >
    > Thank you for your input.
    >
    > Kevin
    >
    > "bruce barker" wrote:
    >
    >> there is no reliable way to detect browser close, or if the user just
    >> navigated to another site.
    >>
    >> your best option is to use a ticket system. when the user hits a page,
    >> give
    >> out a ticket (in a hidden field) and test for it on postback. allow only
    >> one
    >> active ticket per user. you can also timeout the ticket, and require a
    >> new
    >> login. if the user requests a new page, cancel the old ticket, and assign
    >> a
    >> new ticket. this handles the user closing the browser or navigating away
    >> from yor site, then coming back.
    >>
    >> -- bruce (sqlwork.com)
    >>
    >>
    >> "anoj" <> wrote in message
    >> news:...
    >> | Hi All
    >> |
    >> | i need to prevent multiple logins from the same user at the same time.
    >> | what is the best way to do this .
    >> |
    >> | How can i detect if a user closes the browser window without logging
    >> | out so tht his/her id can be removed from the global list maintained
    >> | for the looged in users
    >> |
    >> |
    >> | Kindly help
    >> |
    >> | Regards,
    >> |
    >> | Anoj Kumar
    >> |
    >>
    >>
    >>
     
    Darrin J. Olson, Dec 30, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    2
    Views:
    690
    amjathrahman
    Jul 20, 2006
  2. =?Utf-8?B?QWxleCBNYWdoZW4=?=

    Two Different FormsAuth Logins for Same Application

    =?Utf-8?B?QWxleCBNYWdoZW4=?=, Sep 10, 2006, in forum: ASP .Net
    Replies:
    1
    Views:
    373
    Walter Wang [MSFT]
    Sep 11, 2006
  3. Karthik

    Preventing multiple logins from a single user

    Karthik, Nov 17, 2003, in forum: ASP .Net Security
    Replies:
    0
    Views:
    165
    Karthik
    Nov 17, 2003
  4. Liming

    Two Logins within the same site

    Liming, Apr 12, 2006, in forum: ASP .Net Security
    Replies:
    2
    Views:
    121
    genc ymeri
    Apr 16, 2006
  5. Jeff Beem

    prevent duplicate logins

    Jeff Beem, May 21, 2007, in forum: ASP .Net Security
    Replies:
    2
    Views:
    183
    Manish Bafna
    May 21, 2007
Loading...

Share This Page