how to allow only one active session per user

Question

I want to implement a code that enables only one session per user. I use asp.net with forms authentication .

I read this post: Limit only one session per user in ASP.NET

but I want to do the opposite, to disconnect all previous sessions.

here is my code:

 void Application_Start(object sender, EventArgs e) { Application["UsersLoggedIn"] = new System.Collections.Generic.Dictionary<string, string>(); } 

when user logs in, I insert a record : username, sessionID. if the username exists, I just update the sessionID

    void Application_BeginRequest(object sender, EventArgs e)
    {
        System.Collections.Generic.Dictionary<string, string> d = HttpContext.Current.Application["UsersLoggedIn"] as System.Collections.Generic.Dictionary<string, string>;
        if (d != null)
        {
            if (d.Count > 0)
            {
                    string userName = HttpContext.Current.User.Identity.Name;
                    if (!string.IsNullOrEmpty(userName))
                    {
                        if (d.ContainsKey(userName))
                        {
                            if (d[userName] != HttpContext.Current.Session.SessionID)
                            {
                                FormsAuthentication.SignOut();
                                Session.Abandon();
                            }
                        }
                    }
}
}

but I get empty HttpContext.Current.User. I tried also "AuthenticatedRequest", but then I get null Session.

any idea please?

Answer 1

如果要访问HttpContext.Current.User和Session，则应使用AcquireRequestState事件。

Answer 2

如果您处于负载平衡的状态，并且有多台服务器，则需要以某种方式保持这种状态，那么当您需要释放用户锁（终止用户会话或注销）时，就会出现问题。