如何防止同一用户在不同电脑上同时登录

Question

We have build a intranet application where users have to login to do certain tasks... We have to make sure that no "application user" is logged in more than once at the same time.

So what I do at the moment is that I store the current asp .net session id in the database and then i compare at every page load wheter they are same or not. The session id is stored in the database when the user logs in.

But by using this kind check, there is always a database select needed. So I don't like this way very much. There must be a more elegant way to solve this, or?

We use ASP .Net2, C#..

Thanks in advance for any input

[Info Update]

I have already created a custom Membershipprovider and a custom Membershippuser. The Membershipuser has a method called "StartSession(string sessionId)" which is used, when the user logs in.

The other method CheckSession(string sessionId) is used at every postback, and it compares the current session id with the session id stored in the database.

[Update] Thanks everybody for your input. I will now use the cache to prevent permanent database access. I first thought that there is already a Class or something that is already handling this problem.

Answer 1

Your existing approach of storing this info in the DB is reasonable, it helps if things scale up.

However you could also use the System.Web.Caching.Cache object to track a users current session as well. If finding the info in the cache object fails fall back to reading it from the DB then place that info in the cache for the benefit of subsequent requests.

Answer 2

Whilst digging around for something related to this earlier today I ran across this article that may be of use:

Preventing Multiple Logins in ASP.NET (EggHead Cafe)

Answer 3

The main change I would suggest is that you create a session cache to check against, rather then using the database on every page load.

It would work in a similar way - you would check the session id in the cache to validate and take the same action if validation fails. You just wouldn't need to make the database calls.

Answer 4

As the other answers state, caching will give you a peformance boost here, but do check if you actually require this for an intranet app.

What you are describing breaks the standard model for web applications, and I would question the value of this for purely licensing reasons. Particularly if you intend to try and prevent people opening multiple tabs - you are likely to embarking on a very difficult task, which will only reduce the quality of your user experience.

Answer 5

Well, I know, this is very old post, But I recently solved this issue, by using, formsauthentication ticket, I am checking and maintaining a static dictionary of all loggged in users, with their login timestamps from formsauth ticket. When a second user logs in on different machine, he updates his timestamp in this dictionary, Now when first user will try to validate his FormsAuth timestamp, he will find a different timestamp in the dictionary and he will log off his session, In this way, only newly logged in user will stay alive..

Answer 6

Make a database fro user login with an additonal field Active or something similar. On user authentication check for the value in this field from the user table if it is already true display message through javascript "User already Logged in" if the value of Active is false , update and set it to true and authenticate user to next page or form. Check this on page_load event of page next in navigation after user authentication. if user is already login then the page controls can be made read only else, records can be changed on the page.

I used this and it worked. there are no session out in my application.