I need to allow for only one ASP . NET session per user at any one time. What I need to do is if a user has an application opened in one browser session and they log into the same application in a different browser the first browser session, or login, needs
to be killed so that new login is the only active session. Has anyone done this before?
You did not specify what you are using, but here is what I do
I´m using Webforms with Membership and LoginView Control, this what I do to not allow users be logged more then one time.
When user try a second login, existing session is logged out, and user have to loggin again
On Login page and using LoginView control, at LoggedIn event, register SessionID
If zMultilogin = False Then
'Afeter first login , to prevent multiple sessions, whe have to save SessionID on Cache, this value will be compared on second login
Dim zLogin As Login = LoginView1.FindControl("Login1")
Dim zUsuario As MembershipUser = Membership.GetUser(zLogin.UserName) 'Get current Username
Dim zID As String = zUsuario.ProviderUserKey.ToString 'Get Priveder UserKey
'Create a Session variable, just to fix Session, so it does not keep changing on each page load Session("dfe") = "#dfeloggedin#" 'Use any name and any value, it is just to prevent Session value change on each page load
'Register on Cache the SessionID value, using ProviderUserKey of user
System.Web.HttpContext.Current.Cache(zID) = Session.SessionID
End If
On PageLoad verify if Current SessionID is same, if not Logout existing Session and redirect to Login page
If zMultilogin = False Then ' If Multilogin is not allowed
'If same user is trying another session, force logoof current session
Dim zSessionID As String = System.Web.HttpContext.Current.Session.SessionID
Dim zContext = System.Web.HttpContext.Current
Dim zUser = Membership.GetUser
'Veify is user is authenciated and if SessionID is same stored on cache
If zContext.Request.IsAuthenticated AndAlso Not zContext.Cache(zUsuario.ProviderUserKey.ToString) = zSessionID Then
FormsAuthentication.SignOut() 'Logout current (existing) session
Response.Redirect("~/Login.aspx") 'Redirect to login page
End If
End If
I saw something like that before but I'm using Windows authentication. I'm not using Forms authentication. This is the problem. Also it appears you are comparing the session id to the current browser session. How do I compare it to a browser session on another
machine?
How does identity work in work in Windows authentication?
Use windows auth as an external login.
Another option is creating a cookie where the username is the key and a GUID is the value. Also store the username and GUID value in a DB table. If the user has the cookie but the GUID value does not match then do not allow the user to access the site.
Member
57 Points
188 Posts
Killing a remote session from a different session.
Nov 18, 2018 03:13 PM|uid633445|LINK
Participant
1091 Points
673 Posts
Re: Killing a remote session from a different session.
Nov 18, 2018 07:11 PM|jzero|LINK
You did not specify what you are using, but here is what I do
I´m using Webforms with Membership and LoginView Control, this what I do to not allow users be logged more then one time.
When user try a second login, existing session is logged out, and user have to loggin again
On Login page and using LoginView control, at LoggedIn event, register SessionID
If zMultilogin = False Then 'Afeter first login , to prevent multiple sessions, whe have to save SessionID on Cache, this value will be compared on second login Dim zLogin As Login = LoginView1.FindControl("Login1") Dim zUsuario As MembershipUser = Membership.GetUser(zLogin.UserName) 'Get current Username Dim zID As String = zUsuario.ProviderUserKey.ToString 'Get Priveder UserKey 'Create a Session variable, just to fix Session, so it does not keep changing on each page load Session("dfe") = "#dfeloggedin#" 'Use any name and any value, it is just to prevent Session value change on each page load 'Register on Cache the SessionID value, using ProviderUserKey of user System.Web.HttpContext.Current.Cache(zID) = Session.SessionID End IfOn PageLoad verify if Current SessionID is same, if not Logout existing Session and redirect to Login page
If zMultilogin = False Then ' If Multilogin is not allowed 'If same user is trying another session, force logoof current session Dim zSessionID As String = System.Web.HttpContext.Current.Session.SessionID Dim zContext = System.Web.HttpContext.Current Dim zUser = Membership.GetUser 'Veify is user is authenciated and if SessionID is same stored on cache If zContext.Request.IsAuthenticated AndAlso Not zContext.Cache(zUsuario.ProviderUserKey.ToString) = zSessionID Then FormsAuthentication.SignOut() 'Logout current (existing) session Response.Redirect("~/Login.aspx") 'Redirect to login page End If End IfMember
57 Points
188 Posts
Re: Killing a remote session from a different session.
Nov 18, 2018 07:44 PM|uid633445|LINK
I saw something like that before but I'm using Windows authentication. I'm not using Forms authentication. This is the problem. Also it appears you are comparing the session id to the current browser session. How do I compare it to a browser session on another machine?
All-Star
53711 Points
24031 Posts
Re: Killing a remote session from a different session.
Nov 18, 2018 11:43 PM|mgebhard|LINK
Member
57 Points
188 Posts
Re: Killing a remote session from a different session.
Nov 19, 2018 02:09 AM|uid633445|LINK
All-Star
53711 Points
24031 Posts
Re: Killing a remote session from a different session.
Nov 19, 2018 12:31 PM|mgebhard|LINK
Use windows auth as an external login.
Another option is creating a cookie where the username is the key and a GUID is the value. Also store the username and GUID value in a DB table. If the user has the cookie but the GUID value does not match then do not allow the user to access the site.
Participant
1091 Points
673 Posts
Re: Killing a remote session from a different session.
Nov 19, 2018 02:23 PM|jzero|LINK
Every time you load on different browser or different machine you get a new SessionID