Hi Alan,
Since you're using the FormsAuthenticaiotn in ASP.NET web application,yes?
Then, as for the prevent mult-login on the same user account , here are
some of my understandings:
1. Generally, such problem need us to manage a lookup table on the
serverside. It contains all he active users who has been login in the web
application. Then, when a user login, if this account hasn't been logged in
the active user table, we do the normal login operation, if exist, we
prevent him from login.
2. Then, the important thing we need to do is capture when a user is login
and when he has been left(logout). , ASP.NET formsauthentication will
generate a authentication token to identify an user who has login, and the
token is be default stored in the clientside cookie. then everytime the
user visit the pages in the web applicaiton, the token will be passed
within the request's cookie collection onto the web server so that the
serverside can check whether the user is authenticated.
So as for your scenario, I think we first need to provide a serverside
lookup table in application's shared memory. Then, we a user first time
login, we add an identity into the table, (need to contain his accountid
and also his sessionid)
Also, in every request's Authentication_Request Event(you can hook it in
Global object or httpModule), we need to check the Formsauthentication
cookie to see whether the user is still active, if the token not exist, we
need to remove the item from the lookup table.
Here are some referece on asp.net Formsauthenticaiotn and asp.net request
processing
#Forms Authentication Provider
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconthecookieauthentic
ationprovider.asp?frame=true
#Securely Implement Request Processing, Filtering, and Content Redirection
with HTTP Pipelines in ASP.NET
http://msdn.microsoft.com/msdnmag/issues/02/09/HTTPPipelines/default.aspx
I think they'll also be helpful. Thanks.
Regards,
Steven Cheng
Microsoft Online Support
Get Secure!
www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)