Add a List<string> object to Application variable.
When a user logs in then store the username in this Application variable only if the UserName not there in this List<string> object
If exists, then dont allow logging in, say somebody logged-in.
Sample code will be as follows -
in the Login Page -> Before validating the user check
List<string> userList = null;
if(Application["Users"] == null)
userList = new List<string>();
else
userList = Application["Users"] as List<string>();
//Do this after User is validated
if(userList.Contains(currentUserName))
return "User already logged-in";
else
{
userList.Add(currentUserName);
Application["Users"] = userList;
}
Using the above logic you can restric multiple users loggin in. If it resolvs your problem let me know.
I'm afraid to say that your code is an absolute disaster.
The problems include:
1. No thread safety
2. No support for multiple web servers (i.e. web farms/gardens)
3. Once user logs out they won't be able to log back in again
4. If user's authentication ticket times out, they won't be able to log back in again
There are lots of general issues with restricting a single sign on for an account, not the least of which is how to handle situations such as power outages, where users never get the option to log out. This can put an intolerable lot on a support desk, and
opens you up to social engineering attacks.
To get to something approaching a solution, you need to track in a database - not the application object - things such as login/logout time. And you need to build in a mechanism for closing down logged in users if some logs in with the same credentials.
This can be achieved by creating and storing a GUID, say, in the Session object when the user logs in, and then handle the AuthorizeRequest event to check that the GUID matches the one assigned to that user. if it doesn't then it means that someone else has
logged in with the same credentials, so fail the request.
thanks for the reply ,but when a user try to login with same login id and password then it allowed to be login and othe user who have already login is sign out autometically.
That's exactly what I'm proposing with recording a GUID in the Session for that user and in the database.
Then, when the session GUID doesn't match the one in the database, the user will fail the authorisation check and will have to log on again.
The process is
1. User logs in. Write GUID to Session and Database table against that user id
2. Request comes in. In AuthorizeRequest event, check the GUID in the session against the GUID in the database table. If GUIDs don't match, then fail the authorization, wipe the user's authentication ticket and redirect them to the login page. This effectively
forces the user log off.
bhupender
Member
347 Points
63 Posts
Force All Users to Log Off using same loginId and password
Feb 21, 2012 09:20 AM|LINK
Force All Users to Log Off using same loginId and password
CharyXNS
Member
331 Points
70 Posts
Re: Force All Users to Log Off using same loginId and password
Feb 21, 2012 09:30 AM|LINK
correct me if I'm wrong. Are you saying only one user at a time will be active other users on different sessions with same user id will be logged out?
Pandu
Mark as Answer if it helps you.
bhupender
Member
347 Points
63 Posts
Re: Force All Users to Log Off using same loginId and password
Feb 21, 2012 09:34 AM|LINK
yes,
CharyXNS u are correct. please advice.
CharyXNS
Member
331 Points
70 Posts
Re: Force All Users to Log Off using same loginId and password
Feb 21, 2012 09:46 AM|LINK
Sample code will be as follows -
in the Login Page -> Before validating the user check
//Do this after User is validated if(userList.Contains(currentUserName)) return "User already logged-in"; else { userList.Add(currentUserName); Application["Users"] = userList; }Pandu
Mark as Answer if it helps you.
DMW
All-Star
15943 Points
2353 Posts
Re: Force All Users to Log Off using same loginId and password
Feb 21, 2012 10:13 AM|LINK
CharyXNS
I'm afraid to say that your code is an absolute disaster.
The problems include:
1. No thread safety
2. No support for multiple web servers (i.e. web farms/gardens)
3. Once user logs out they won't be able to log back in again
4. If user's authentication ticket times out, they won't be able to log back in again
There are lots of general issues with restricting a single sign on for an account, not the least of which is how to handle situations such as power outages, where users never get the option to log out. This can put an intolerable lot on a support desk, and opens you up to social engineering attacks.
To get to something approaching a solution, you need to track in a database - not the application object - things such as login/logout time. And you need to build in a mechanism for closing down logged in users if some logs in with the same credentials. This can be achieved by creating and storing a GUID, say, in the Session object when the user logs in, and then handle the AuthorizeRequest event to check that the GUID matches the one assigned to that user. if it doesn't then it means that someone else has logged in with the same credentials, so fail the request.
Dave
bhupender
Member
347 Points
63 Posts
Re: Force All Users to Log Off using same loginId and password
Feb 21, 2012 10:46 AM|LINK
thanks for the reply ,but when a user try to login with same login id and password then it allowed to be login and othe user who have already login is sign out autometically.
DMW
All-Star
15943 Points
2353 Posts
Re: Force All Users to Log Off using same loginId and password
Feb 21, 2012 10:50 AM|LINK
That's exactly what I'm proposing with recording a GUID in the Session for that user and in the database.
Then, when the session GUID doesn't match the one in the database, the user will fail the authorisation check and will have to log on again.
The process is
1. User logs in. Write GUID to Session and Database table against that user id
2. Request comes in. In AuthorizeRequest event, check the GUID in the session against the GUID in the database table. If GUIDs don't match, then fail the authorization, wipe the user's authentication ticket and redirect them to the login page. This effectively forces the user log off.
Dave
bhupender
Member
347 Points
63 Posts
Re: Force All Users to Log Off using same loginId and password
Feb 21, 2012 10:56 AM|LINK
thanks for the reply DMW, what have u suggest. can u please give the code or some links to do that.
DMW
All-Star
15943 Points
2353 Posts
Re: Force All Users to Log Off using same loginId and password
Feb 21, 2012 11:05 AM|LINK
I just did a quick Google search and found this, which is very much on the lines I've outlined above.
http://geekswithblogs.net/Frez/archive/2010/05/17/preventing-a-user-from-having-multiple-concurrent-sessions.aspx
Hope that it's useful for you.
Dave