Two Users Login with same UserID

[A.M]

Hi,

I am using WebForms authentication.

What would be the best way to prevent two person login with same userID at
the same time?

Thanks,
Alan

 

[Lucas Tam]

What would be the best way to prevent two person login with same
userID at the same time?

Flag the user as "logged in" in the database during Form Authentication.

In the Session_OnEnd event in the global.asax, unflag the user id.

But becareful - sessions last ~20 minutes... so if a user leaves the site
by accident, the user maybe blocked from reaccessing the site for 20+
minutes (depending on your session timeout value).

You could add additional logic to check IP addresses, cookies, etc to make
the flagging more robust and allow a user who did not log out properly to
return and re-login.

 

[Steven Cheng[MSFT]]

Hi Alan,

Since you're using the FormsAuthenticaiotn in ASP.NET web application,yes?
Then, as for the prevent mult-login on the same user account , here are
some of my understandings:

1. Generally, such problem need us to manage a lookup table on the
serverside. It contains all he active users who has been login in the web
application. Then, when a user login, if this account hasn't been logged in
the active user table, we do the normal login operation, if exist, we
prevent him from login.

2. Then, the important thing we need to do is capture when a user is login
and when he has been left(logout). , ASP.NET formsauthentication will
generate a authentication token to identify an user who has login, and the
token is be default stored in the clientside cookie. then everytime the
user visit the pages in the web applicaiton, the token will be passed
within the request's cookie collection onto the web server so that the
serverside can check whether the user is authenticated.

So as for your scenario, I think we first need to provide a serverside
lookup table in application's shared memory. Then, we a user first time
login, we add an identity into the table, (need to contain his accountid
and also his sessionid)
Also, in every request's Authentication_Request Event(you can hook it in
Global object or httpModule), we need to check the Formsauthentication
cookie to see whether the user is still active, if the token not exist, we
need to remove the item from the lookup table.

Here are some referece on asp.net Formsauthenticaiotn and asp.net request
processing

#Forms Authentication Provider
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconthecookieauthentic
ationprovider.asp?frame=true

#Securely Implement Request Processing, Filtering, and Content Redirection
with HTTP Pipelines in ASP.NET
http://msdn.microsoft.com/msdnmag/issues/02/09/HTTPPipelines/default.aspx

I think they'll also be helpful. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)