2

I am trying to only allow a user account to be logged in, only once at the same time.

E.g. User logs in via the browser on their computer, now they cant login at the same time on their phone as they are already logged in.

I can add a bool property to my user entity, that I can update when the user logs in and logs out.

However, I am using SlidingExpiration on the authentication cookie, therefore when the cookie expires it doesn't update my user property to say they are now logged out.

ExpireTimeSpan = <time period>,
SlidingExpiration = true,

Are there any better approach to restricting concurrent login?

Thanks

Improve this question
4
  • You can try to add this logic in the Global.asax on the Session_End method (and save this to the database instead). Commented May 23, 2014 at 10:58
  • Sounds so simple but "being logged in" is not so easy to define in a stateless environment. I would critically examine the chain of thought that led to this requirement. After you have implemented this you'll probably end up removing it again. Commented May 23, 2014 at 11:02
  • Just because it was designed not to save state, doesn't mean you shouldn't use it that way. Commented May 23, 2014 at 11:10
  • There will eventually be a limit to the number of concurrent users on the system. So to prevent one account being used by multiple people this is needed. Commented May 23, 2014 at 11:26

2 Answers 2

Reset to default
3

Can you generate a Token at log in and store it in Data base?
Then, check every time if the token matches with the one provided by user.
If he does log in in another device, the token will be overwritten and won't match with the first one, so the first session will become invalid.

EDIT:
As you asked in a comment, it doesn't block a user to perform a second log in in another device concurrently, it only invalidates the previous sessions.
Avoiding a second log in requires more job and isn't as safe as the method shown above.
Imagine that the user closes the browser without performing a log out... It will block the session.
An approximation of what you want will be adding the time parameter to your log in (adding it into the data base too, and updating the field on every user's action).
Then show the message of "you can't log in twice" if the token doesn't matches and the time span is not far enough (i.e. 5 minutes). But in my example you need to show a "your session expired" if the token has changed anyway.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

There's a field for this out of the box too. I don't think it's used in V1.
1

"The idea is very simple every time the user logged in you have to generate random token , then you should save that token in the database and in session or if you are using Microsoft form authentication you can save it in the ticket, then each time the user request a page you’ll check if the session token is same as database token , if not kick him out!"

http://engthunder.wordpress.com/2011/10/19/preventing-multiple-user-from-logging-in-using-the-same-username-single-user-login-at-a-time/

Improve this answer

2 Comments

Using this approach means the second attempt does log in? I want to show up a page saying "This account is already logged in", rather than now block the first login
This approach just tell you if the same account is logged in more than once, what you do with that info is up to you.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.