Ensuring only one user login using ASP.Net Membership Provider

StackOverflow https://stackoverflow.com/questions/303420

  •  08-07-2019
  •  | 
  •  

Question

How would you ensure that only one user is logged in per account at a time?

Assuming cookies are persistent.

Was it helpful?

Solution

Typically the best way is to implement a customization on the provider that checks for last login, as well as adding methods to your code to keep track of user action.

The key is that you must know at what point did the user last do something OR logout. From there you can determine if the account is actually ready. If you setup the tracking for these elements in code, You can then modify the membership provider to check to ensure that the account can login.

OTHER TIPS

Conceptually you have to decide how you want to respond. If you have User A logged in and then User B attempts to login (using the same credentials) do you:

  1. Kick User A out

or

  1. Not allow a login from User B

(2) is problematic because you need to reliably know that User A has logged out to determine whether to login User B. User A could be just looking at a page on your site for a while, so doing via time might not be the best. Maybe some sort of AJAX watchdog that pings your website every 30 seconds.

(1) also requires some work. When a user logs in, you would want to store their cookie value (probably in the database) and add it to a list issued cookies for this user. That way only the last cookie issued (last login) would be accepted. If you see one of the earlier cookies, then you would log that person out.

I create a table with the id of the user. Every time a user logs in, the system creates a unique id, which is stored in the table against the user's ID, as well as in the session variable.

Every post back or page process, the key stored in the session variable is checked against the last key for that user stored in the database. If a second user logs in with the same account, the system will create a new unique id, so that when the first user posts back or changes pages, the key stored in his session variable will be different to that in the table, indicating that the account has been opened in another location.

I schedule a night process to delete the old ids from the table

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top