Prevent simultaneous concurrent & maximum logins in User group
Question
is it possible to allow only one concurrent login per user in Asp.Net web application?
I am working on one web application in which i want to make sure that website allow only one login per user at a time . How to check that current user already logged in or not .
Also I wanted to Limit no of logins per group as defined. like Maximum 10 IT department people can login at a time, maximum 5 HR department people can login.
I am using simple database to store the login information
1 answers
solution1
2 ACCPTED 2014-02-24 17:57:18
So there are two different things that you need to keep track of here and check on.
The first is that, when someone logs in, you'll want to invalidate any previous sessions for that username. This prevents the trivial case of someone logging in on one machine and then logging in on another machine, as the first machine will no longer be able to make any new authenticated requests. This will be sufficient in most cases for dealing with users who aren't actively trying to subvert this restriction.
The next is a little bit more complicated. What you need to look for is users making requests to your sever using the same authenticated session ID but with different IPs, broswers, etc. What you'll be looking for is dealing with the case where one person logs in, then looks at the session information in their cookie, and then re-creates an identical cookie with the same session ID on another machine.
That second approach does have its issues though. Most people don't have entirely static IPs. An entirely static IP is actually very rare. That said, for most users their IP is not rotated very often; they're unlikely to see it change while actively using the site. These people are not going to have any problems if using the site appropriate. However, there are going to be some people who's internet providers will rotate their IPs frequently. These people may not be doing anything inappropriate either. If you don't deal with the fact that people's IPs may be frequently changing you could end up constantly kicking out all users from certain internet providers. What you really want to be looking out for is cases where there is an action performed by a user with a given IP/session, then an action on the same account from a different IP with the same session, then more actions from the first IP, followed by more from the second, etc. When you see this flip flopping between two IPs in a very short span of time, it's a strong indication that two people on two different machines are accessing the account. You can further improve this metric by incorporating other aspects of each request, such as the browser information (with the version, down to the lowest version component).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.