RSB RSB - 7 days ago 5
C# Question

Login Security: How to Disable Multiple login

I want to disable multiple login on my web. For example when a user already login on the system. System should disable the user to login again on another browser or computer. Currently I tried doing this by using the database. I have a column like login_status, Once the user is login it will update to 1 and 0 for offline. If you the user closes the the browser without logging out. It will remain login, the user should ask the admin to log him out. The problem is we want to automatically logout the user by max of 30min idle time. I'm having a hard time how to do this.

Is there a way to disable multiple login and determine if the user was idle and automatically log him out? I'm thinking about cookies and session.

Answer

The reason a visitor can log in from multiple locations at once is, because whenever they log in ASP.net assigns them the same authentication token. So, the authentication token in itself doesn't allow you to distinguish between the locations the user is logging in from.

There are probably many ways around this, but in principle all you need to do is store some identifying information in the user’s session state and check this on each request. E.g. When they log in, their IP address could be stored as session data. Then for every subsequent authenticated request, the IP the request comes from could be compared to the IP of the current one. If the two don’t match then log the user out.

Alternatively, if IP isn't a good enough identifier (e.g. if a user is logging in from behind a router multiple PCs will share IPs) then you can add some identifying information to the users authentication token at the point of login. Here is a tutorial on how to do that:

http://www.danharman.net/2011/07/07/storing-custom-data-in-forms-authentication-tickets/

Each time they login a unique GUID can be generated and stored both as session data and also as part of the authentication token. On each request you compare the two, logging the user out on a fail.

These are a couple of possibilities - I'm sure there are others.

An even better way may be to influence the asp.net authentication token itself when asp.net generates it to introduce some change, but I'm not sure this is possible.

Googling gave me nothing.

Comments