Keeping track of users LogIn

[Eric S]

Hi All,

When I create a credential for users to log in, I can not allow them to log
in more then 2 different computers. Otherwise the user can provide the
Credential for 20 different people and will try hammer the server.

If user A logged in I can update a flag in a table called MemberInfo and
when he/she Logged out I can reset that flag and also have a counter of the
numbers of logins.... Or even can update the time he/she logged in.

a)
Problem is what happens when he closed the browser and did not log out?

b)
If the browser is crashed then there is no way for me to update the flag.

How would you handle this kind of situation?
Appreciate some code / Ideas.

Thanks,

Eric

 

[Andy O'Neill]

Hi All,

When I create a credential for users to log in, I can not allow them to
log in more then 2 different computers. Otherwise the user can provide the
Credential for 20 different people and will try hammer the server.

If user A logged in I can update a flag in a table called MemberInfo and
when he/she Logged out I can reset that flag and also have a counter of
the numbers of logins.... Or even can update the time he/she logged in.

a)
Problem is what happens when he closed the browser and did not log out?

b)
If the browser is crashed then there is no way for me to update the flag.

How would you handle this kind of situation?
Appreciate some code / Ideas.

Thanks,

Eric

Intranet or web?

On an intranet you could use the user's windows credentials.
Either way, take a look at the membership provider.

 

[Guest]

Hi All,

When I create a credential for users to log in, I can not  allow them to log
in more then 2 different computers. Otherwise the user can provide the
Credential for 20 different people and will try hammer the server.

If user A logged in I can update a flag in a table called MemberInfo and
when he/she  Logged out I can reset that flag and also have a counter of the
numbers of logins.... Or even can update the time he/she logged in.

a)
Problem is what happens when he closed the browser and did not log out?

b)
If the browser is crashed then there is no way for me to update the flag.

How would you handle this kind of situation?
Appreciate some code / Ideas.

Thanks,

Eric

Consider another approach. For example, using client's IP address. On
login you can keep the IP and time in MemberInfo. After that this
information could be used to check if you could allow a logon or not.
If the same IP, then user is valid. If a different IP within say 20
minutes of the last use on another address then you must apply the
lockout rule.

This will not work if users coming out of the same router (e.g.
corporate proxy) - they all will have the same IP address. You may
also wish to save a short period encypted cookie to provide a session
marker upon logon.

 

[Guest]

Hi All,

When I create a credential for users to log in, I can not  allow them to log
in more then 2 different computers. Otherwise the user can provide the
Credential for 20 different people and will try hammer the server.

If user A logged in I can update a flag in a table called MemberInfo and
when he/she  Logged out I can reset that flag and also have a counter of the
numbers of logins.... Or even can update the time he/she logged in.

a)
Problem is what happens when he closed the browser and did not log out?

b)
If the browser is crashed then there is no way for me to update the flag.

How would you handle this kind of situation?
Appreciate some code / Ideas.

Thanks,

Eric

One more tip
http://teknohippy.net/2008/08/21/stopping-aspnet-concurrent-logins/

 

[Eric S]

Hi Alexey,

Thanks for the reply it is informative...
Any suggested code (or blog somewhere) is also appreciated.

Regards,

Eric

Hi All,

When I create a credential for users to log in, I can not allow them to
log
in more then 2 different computers. Otherwise the user can provide the
Credential for 20 different people and will try hammer the server.

If user A logged in I can update a flag in a table called MemberInfo and
when he/she Logged out I can reset that flag and also have a counter of
the
numbers of logins.... Or even can update the time he/she logged in.

a)
Problem is what happens when he closed the browser and did not log out?

b)
If the browser is crashed then there is no way for me to update the flag.

How would you handle this kind of situation?
Appreciate some code / Ideas.

Thanks,

Eric

Consider another approach. For example, using client's IP address. On
login you can keep the IP and time in MemberInfo. After that this
information could be used to check if you could allow a logon or not.
If the same IP, then user is valid. If a different IP within say 20
minutes of the last use on another address then you must apply the
lockout rule.

This will not work if users coming out of the same router (e.g.
corporate proxy) - they all will have the same IP address. You may
also wish to save a short period encypted cookie to provide a session
marker upon logon.

 

[Eric S]

Thanks Alexey and that's takes care of it.

Hi All,

When I create a credential for users to log in, I can not allow them to
log
in more then 2 different computers. Otherwise the user can provide the
Credential for 20 different people and will try hammer the server.

If user A logged in I can update a flag in a table called MemberInfo and
when he/she Logged out I can reset that flag and also have a counter of
the
numbers of logins.... Or even can update the time he/she logged in.

a)
Problem is what happens when he closed the browser and did not log out?

b)
If the browser is crashed then there is no way for me to update the flag.

How would you handle this kind of situation?
Appreciate some code / Ideas.

Thanks,

Eric

One more tip
http://teknohippy.net/2008/08/21/stopping-aspnet-concurrent-logins/