how to prevent multiple logins from the same user

[anoj]

Hi All

i need to prevent multiple logins from the same user at the same time.
what is the best way to do this .

How can i detect if a user closes the browser window without logging
out so tht his/her id can be removed from the global list maintained
for the looged in users


Kindly help

Regards,

Anoj Kumar

 

[Hans Kesting]

Hi All

i need to prevent multiple logins from the same user at the same time.
what is the best way to do this .

How can i detect if a user closes the browser window without logging
out so tht his/her id can be removed from the global list maintained
for the looged in users


Kindly help

Regards,

Anoj Kumar

There is no "configuration setting" for this, you have to build it yourself.
You need to maintain a global list of "logged in users". If someone tries
to log in, check against this list and display a "already logged in"
message.
You need to add code to the Session_End event handler to remove
users from this list if their session expires (when they just left the site/closed
their browser instead of logging out).

Be careful: users that had a browser-crash that prevented them from logging out,
now need to wait 20 minutes before they can access your site again!
The fact that your user is logged in in some session that he/she can't log out
of, doesn't have to be his/her fault!

Hans Kesting

 

[bruce barker]

there is no reliable way to detect browser close, or if the user just
navigated to another site.

your best option is to use a ticket system. when the user hits a page, give
out a ticket (in a hidden field) and test for it on postback. allow only one
active ticket per user. you can also timeout the ticket, and require a new
login. if the user requests a new page, cancel the old ticket, and assign a
new ticket. this handles the user closing the browser or navigating away
from yor site, then coming back.

-- bruce (sqlwork.com)


| Hi All
|
| i need to prevent multiple logins from the same user at the same time.
| what is the best way to do this .
|
| How can i detect if a user closes the browser window without logging
| out so tht his/her id can be removed from the global list maintained
| for the looged in users
|
|
| Kindly help
|
| Regards,
|
| Anoj Kumar
|

 

[Daniel Fisher\(lennybacon\)]

You can write a HttpModule and update a datastore with a timestamp and the
ip address per user on every request and check on AuthenticateRequest if the
user matches or a defined time has expired the users session.

 

[John Saunders]

You can write a HttpModule and update a datastore with a timestamp and the
ip address per user on every request and check on AuthenticateRequest if
the user matches or a defined time has expired the users session.

The IP address is subject to change without notice between connections. What
if the user winds up switching which proxy server is being used, or if the
network gets reconfigured some other way?

If you want a value to use as a unique identifier of a machine, then send
that machine a GUID in a cookie. Then it won't matter how the network
changes out from under you.

John Saunders

 

[Guest]

I am sorry but I need the 101 version of this.
Another use suggested adding code to the Session_End event. This makes sense
but I don't see the Session_End event in the list of available events to add
in the Init from HttpApplication.
When you mention a user "hitting" a page do you mean begin request? How do I
know what the user is at that point? How do I "give out a ticket" in a hidden
field. I am assuming that this involves modifying the "normal" response page
generated for the request. Where would be the best place to do this?
From another post I read that the HttpApplication class is pooled and the
HttpModules are created from HttpApplication class as specified in
web.config. Based on this information there doesn't seem to be a global place
to reliably keep state for the application. Right?

Thank you for your input.

Kevin

 

[Darrin J. Olson]

My suggestion would be to keep track of the current sessionID and last page
request time for the user in a datasource record.

In the Authentication_Request event in the Global.asax, if the user is
authenticated you would write the current time and sessionID to the record.
Prior to that in the same event, you would check to see if there is an entry
for the same user that has 1) a different sessionID, and 2) if the
difference between the current time and the last entry is greater than the
timeout period.

If there is a time entry difference that is less than the timeout, and the
sessionID is different, deny the authentication, otherwise let it through
and write the entry with the new time and SessionID.

In the Session_End event, set the time in the datasource record to a date
and time sometime way in the past (1/1/1900 0100 AM) for any record with the
SessionID in that event.

I'm sure there are a number of ways to do it, but I think this would work.

-Darrin