Is there any way to implement single sign on using Session variable?

Question

0.00/5 (No votes)

See more:

Hi Friends,

In my application I'm using InProc Session state where I'm storing the User_Id of each user after successful authentication.

Session.Add("UID", strUserid);

Now, same user can login to my application multiple time from different browser window. There no single sign on implemented. The requirement is I need to have something in place which can restrict the same users to log in into the system multiple time. I should show a message to the user if the user is already logged in into the system.
One way I think of is to add a flag on my User table and update the flag when a user logged in successfully so that I can track the flag data every time a user tries logging in. Something like below:

if(flag=="Y")
{
Don't allow the user, show message. 
} 
else
{
allow user.
}

I wanted to know if there is any mechanism available, so that I can loop through the session variables and check if the current user's session is available ? If current user session is available I'll not allow the user. Please let me know if it can be done using the session variables as I'm storing the user_id to the session. Please suggest ideas which I can follow to implement it. Thanks in advance.

Regards,
Subahdeep

Posted 20-Jan-11 1:33am

Bodan_

Updated 20-Jan-11 1:35am

m@dhu

v2

Add a Solution

3 solutions

Solution 1

If you're using ASP.Net, you should probably have a look at the Membership model which provides a lot of functionality for handling security.

Have a look at this blog that describes one way of handling this

http://geekswithblogs.net/Frez/Frez/articles/preventing-a-user-from-having-multiple-concurrent-sessions.aspx[^]

Otherwise, google is your friend!

http://www.google.co.uk/search?q=asp.net+membership+prevent+multiple+user+logons+using+the+same+credentials[^]

Posted 20-Jan-11 2:28am

Dylan Morley

Comments

Bodan_ 20-Jan-11 8:33am

Thanks Dylan for your reply. I do using asp.net and also aware of Membership, but here I can not use memebership as the application ia already developed with manual login page and the functionalities are also developed depending on the login page. Please let me know if there is anything else in your mind except membership. Thank you.

Solution 2

You mentioned that you are using InProc session state. Well, I guess there is no much you can do in this case. You can't retrieve the active session states for a given user.

Possible solutions are:
a) move your session state to OutProc, then it becomes easy to retrieve it from your chosen database.

b)Enforce single sign-in mechanism. In this case you will prevent the user from login the second time while their session is active. But this comes with caveat. i) the user won't able to use multiple browsers ii) the user can't login from different machine until the session expires.

You can mitigate the session length with some javascript code. when ever the browser is closed kill the session. This is not fool-prove and it may not work on all cases.

Posted 20-Jan-11 3:50am

Yusuf

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Ashish Tyagi 40 · Accepted Answer · 2011-01-20T03:51:00

Solution 3

you just need to add UID to Application object also so that this can be accessed out of your session also.

I guess strUserid is unique and a string ( if strUserid is a number then convert it to string for adding to Application object) follow these steps

//write this code in the same procedure (function) where you authenticate user on login request 
Session.Add("UID", strUserid);  

 
// no other changes are required
if(Application.Get(strUserid)!= null)
{
   //Don't allow the user, show message.
}
else
{
    Application.Add(strUserid, "LOGGED_IN"); // show that he.she can not login again
    // check for user name and password, if match then allow user.
}

also when someone logout then remove the UID from Application

Posted 20-Jan-11 3:51am

Ashish Tyagi 40

Updated 21-Jan-11 6:16am

v4

Comments

Bodan_ 21-Jan-11 0:17am

Hi Ashish, Could you please elaborate this approach? Do I need to use Global.asax Application_start event. I'm sorry I didn't get the solution. Request your assistance on the same. Thanks a lot for your reply.
P.S: strUserId is string only and it is unique.

Ashish Tyagi 40 21-Jan-11 12:11pm

ijust come with improved answer
no need to use Global.asax Application_start event
the location is same where you write Session.Add("UID", strUserid);
write this code in the same procedure (function) where you authenticate user on login request

Ashish Tyagi 40 21-Jan-11 12:23pm

the only trick is set the UID of already logged in, to such place (Application object) so that you can access anywhere in youe application, and on login request check if it already on that place (Application object) if yes, then he/she already logged.

Ashish Tyagi 40 21-Jan-11 12:18pm

ping me if you need more guidance....