Click here to Skip to main content
15,171,873 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Hi Friends,

In my application I'm using InProc Session state where I'm storing the User_Id of each user after successful authentication.

Session.Add("UID", strUserid);


Now, same user can login to my application multiple time from different browser window. There no single sign on implemented. The requirement is I need to have something in place which can restrict the same users to log in into the system multiple time. I should show a message to the user if the user is already logged in into the system.
One way I think of is to add a flag on my User table and update the flag when a user logged in successfully so that I can track the flag data every time a user tries logging in. Something like below:
if(flag=="Y")
{
Don't allow the user, show message. 
} 
else
{
allow user.
}

I wanted to know if there is any mechanism available, so that I can loop through the session variables and check if the current user's session is available ? If current user session is available I'll not allow the user. Please let me know if it can be done using the session variables as I'm storing the user_id to the session. Please suggest ideas which I can follow to implement it. Thanks in advance.

Regards,
Subahdeep
Posted
Updated 20-Jan-11 2:35am
v2

you just need to add UID to Application object also so that this can be accessed out of your session also.

I guess strUserid is unique and a string ( if strUserid is a number then convert it to string for adding to Application object) follow these steps



//write this code in the same procedure (function) where you authenticate user on login request 
Session.Add("UID", strUserid);  

 
// no other changes are required
if(Application.Get(strUserid)!= null)
{
   //Don't allow the user, show message.
}
else
{
    Application.Add(strUserid, "LOGGED_IN"); // show that he.she can not login again
    // check for user name and password, if match then allow user.
}


also when someone logout then remove the UID from Application
   
v4
Comments
Bodan_ 21-Jan-11 0:17am
   
Hi Ashish, Could you please elaborate this approach? Do I need to use Global.asax Application_start event. I'm sorry I didn't get the solution. Request your assistance on the same. Thanks a lot for your reply.
P.S: strUserId is string only and it is unique.
Ashish Tyagi 40 21-Jan-11 12:11pm
   
ijust come with improved answer
no need to use Global.asax Application_start event
the location is same where you write Session.Add("UID", strUserid);
write this code in the same procedure (function) where you authenticate user on login request
Ashish Tyagi 40 21-Jan-11 12:23pm
   
the only trick is set the UID of already logged in, to such place (Application object) so that you can access anywhere in youe application, and on login request check if it already on that place (Application object) if yes, then he/she already logged.
Ashish Tyagi 40 21-Jan-11 12:18pm
   
ping me if you need more guidance....
If you're using ASP.Net, you should probably have a look at the Membership model which provides a lot of functionality for handling security.

Have a look at this blog that describes one way of handling this

http://geekswithblogs.net/Frez/Frez/articles/preventing-a-user-from-having-multiple-concurrent-sessions.aspx[^]

Otherwise, google is your friend!

http://www.google.co.uk/search?q=asp.net+membership+prevent+multiple+user+logons+using+the+same+credentials[^]
   
Comments
Bodan_ 20-Jan-11 8:33am
   
Thanks Dylan for your reply. I do using asp.net and also aware of Membership, but here I can not use memebership as the application ia already developed with manual login page and the functionalities are also developed depending on the login page. Please let me know if there is anything else in your mind except membership. Thank you.
You mentioned that you are using InProc session state. Well, I guess there is no much you can do in this case. You can't retrieve the active session states for a given user.

Possible solutions are:
a) move your session state to OutProc, then it becomes easy to retrieve it from your chosen database.

b)Enforce single sign-in mechanism. In this case you will prevent the user from login the second time while their session is active. But this comes with caveat. i) the user won't able to use multiple browsers ii) the user can't login from different machine until the session expires.

You can mitigate the session length with some javascript code. when ever the browser is closed kill the session. This is not fool-prove and it may not work on all cases.
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900