Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
Last post Feb 21, 2012 11:05 AM by DMW
Feb 21, 2012 09:20 AM|LINK
Force All Users to Log Off using same loginId and password
Feb 21, 2012 09:30 AM|LINK
correct me if I'm wrong. Are you saying only one user at a time will be active other users on different sessions with same user id will be logged out?
Feb 21, 2012 09:34 AM|LINK
Feb 21, 2012 09:46 AM|LINK
Sample code will be as follows -
in the Login Page -> Before validating the user check
List<string> userList = null;
if(Application["Users"] == null)
userList = new List<string>();
userList = Application["Users"] as List<string>();
//Do this after User is validated
return "User already logged-in";
Application["Users"] = userList;
Using the above logic you can restric multiple users loggin in. If it resolvs your problem let me know.
Feb 21, 2012 10:13 AM|LINK
I'm afraid to say that your code is an absolute disaster.
The problems include:
1. No thread safety
2. No support for multiple web servers (i.e. web farms/gardens)
3. Once user logs out they won't be able to log back in again
4. If user's authentication ticket times out, they won't be able to log back in again
There are lots of general issues with restricting a single sign on for an account, not the least of which is how to handle situations such as power outages, where users never get the option to log out. This can put an intolerable lot on a support desk, and
opens you up to social engineering attacks.
To get to something approaching a solution, you need to track in a database - not the application object - things such as login/logout time. And you need to build in a mechanism for closing down logged in users if some logs in with the same credentials.
This can be achieved by creating and storing a GUID, say, in the Session object when the user logs in, and then handle the AuthorizeRequest event to check that the GUID matches the one assigned to that user. if it doesn't then it means that someone else has
logged in with the same credentials, so fail the request.
Feb 21, 2012 10:46 AM|LINK
thanks for the reply ,but when a user try to login with same login id and password then it allowed to be login and othe user who have already login is sign out autometically.
Feb 21, 2012 10:50 AM|LINK
That's exactly what I'm proposing with recording a GUID in the Session for that user and in the database.
Then, when the session GUID doesn't match the one in the database, the user will fail the authorisation check and will have to log on again.
The process is
1. User logs in. Write GUID to Session and Database table against that user id
2. Request comes in. In AuthorizeRequest event, check the GUID in the session against the GUID in the database table. If GUIDs don't match, then fail the authorization, wipe the user's authentication ticket and redirect them to the login page. This effectively
forces the user log off.
Feb 21, 2012 10:56 AM|LINK
thanks for the reply DMW, what have u suggest. can u please give the code or some links to do that.
Feb 21, 2012 11:05 AM|LINK
I just did a quick Google search and found this, which is very much on the lines I've outlined above.
Hope that it's useful for you.