4

We have build a intranet application where users have to login to do certain tasks... We have to make sure that no "application user" is logged in more than once at the same time.

So what I do at the moment is that I store the current asp .net session id in the database and then i compare at every page load wheter they are same or not. The session id is stored in the database when the user logs in.

But by using this kind check, there is always a database select needed. So I don't like this way very much. There must be a more elegant way to solve this, or?

We use ASP .Net2, C#..

Thanks in advance for any input

[Info Update]

I have already created a custom Membershipprovider and a custom Membershippuser. The Membershipuser has a method called "StartSession(string sessionId)" which is used, when the user logs in.

The other method CheckSession(string sessionId) is used at every postback, and it compares the current session id with the session id stored in the database.

[Update] Thanks everybody for your input. I will now use the cache to prevent permanent database access. I first thought that there is already a Class or something that is already handling this problem.

nWorx
  • 2,145
  • 16
  • 37
  • one database query should not be any thing to worry about usless you have massive trafik.. – Peter Jun 25 '09 at 09:36
  • Worth ensuring there is a real reason for this restriction, because it will also impact one user on one machine with two browsers open. And likely will not detect a single browser with two tabs open. – Richard Jun 25 '09 at 09:36
  • we dont want people to have tabs open with it, they should just have one window open, and it is also a licence issue... we don't want them to buy one user licence and use it for 100 people... so it ensures that the application works right and that the licence are used correctly but maybe this is a wrong thinking anyway... – nWorx Jun 25 '09 at 09:40
  • 3
    @unicron: You have to consider how much the users desktop you can own. Its not reasonable to expect to control the number of tabs opened by the user. A new tab or even a new window would not necessarily create a new session anyway. – AnthonyWJones Jun 25 '09 at 09:53
  • 3
    No tabs?! Any time you find yourself impacting a legitimate user in an attempt to address illegimate users you need to take a step back and question the cost/benifit of your approach. – Colin Pickard Jun 25 '09 at 09:55
  • @colin i did not mean that i want to forbid tabs in general... but if he opens the application in a new tab, than isn't the session recovered from his asp.net session cookie -> it would be like just one window? – nWorx Jun 25 '09 at 12:01

6 Answers6

5

Your existing approach of storing this info in the DB is reasonable, it helps if things scale up.

However you could also use the System.Web.Caching.Cache object to track a users current session as well. If finding the info in the cache object fails fall back to reading it from the DB then place that info in the cache for the benefit of subsequent requests.

AnthonyWJones
  • 187,081
  • 35
  • 232
  • 306
4

Whilst digging around for something related to this earlier today I ran across this article that may be of use:

Preventing Multiple Logins in ASP.NET (EggHead Cafe)

Kev
  • 118,037
  • 53
  • 300
  • 385
3

The main change I would suggest is that you create a session cache to check against, rather then using the database on every page load.

It would work in a similar way - you would check the session id in the cache to validate and take the same action if validation fails. You just wouldn't need to make the database calls.

Fenton
  • 241,084
  • 71
  • 387
  • 401
1

As the other answers state, caching will give you a peformance boost here, but do check if you actually require this for an intranet app.

What you are describing breaks the standard model for web applications, and I would question the value of this for purely licensing reasons. Particularly if you intend to try and prevent people opening multiple tabs - you are likely to embarking on a very difficult task, which will only reduce the quality of your user experience.

Colin Pickard
  • 45,724
  • 13
  • 98
  • 148
  • it also has something to do, that different people can use the same login. so i have to kick one of them out of the application. if the same user opens many tabs i don't care... otherwise if different people work in this application with the same user account, this could be a kind of confusing for the user himself.. so he gets a warning that someone other has already logged in. so he can find out in his team who is working and just wait till the other one is finished. – nWorx Jun 26 '09 at 08:47
0

Well, I know, this is very old post, But I recently solved this issue, by using, formsauthentication ticket, I am checking and maintaining a static dictionary of all loggged in users, with their login timestamps from formsauth ticket. When a second user logs in on different machine, he updates his timestamp in this dictionary, Now when first user will try to validate his FormsAuth timestamp, he will find a different timestamp in the dictionary and he will log off his session, In this way, only newly logged in user will stay alive..

Dharman
  • 30,962
  • 25
  • 85
  • 135
VarunB
  • 81
  • 6
-2

Make a database fro user login with an additonal field Active or something similar. On user authentication check for the value in this field from the user table if it is already true display message through javascript "User already Logged in" if the value of Active is false , update and set it to true and authenticate user to next page or form. Check this on page_load event of page next in navigation after user authentication. if user is already login then the page controls can be made read only else, records can be changed on the page.

I used this and it worked. there are no session out in my application.

Sameep
  • 1
  • -1: No need to bump the question to the front page with this answer as it essentially says the same that the person that asked said he didn't want, or thought was unnecessary. In other words, he is already fully aware of this approach, and the accepted answer is the same. – Lasse V. Karlsen Sep 21 '10 at 11:14