Limit only one session per user in ASP.NET

Question

无论如何检测用户何时登录是否已经有另一个具有相同用户名的会话，并阻止他再次登录或向他发送消息？

Answer 1

You could always implement the events in global.asax.

Implement Application_Start() to setup a System.Collections.Dictionary (or at your preference) and store that in the Application[] collection, when a user logsin, add the username. Remove from the collection in Session_End(). Remember to use the 'lock' keyword while working with the collection :)

Have fun!

Example:

[page.aspx]
public partial class page : System.Web.UI.Page {
    protected bool Login(string userName) {
        System.Collections.Generic.List<string> d = Application["UsersLoggedIn"]
            as System.Collections.Generic.List<string>;
        if (d != null) {
            lock (d) {
                if (d.Contains(userName)) {
                    // User is already logged in!!!
                    return false;
                }
                d.Add(userName);
            }
        }
        Session["UserLoggedIn"] = userName;
        return true;
    }

    protected void Logout() {
        Session.Abandon();
    }
}

[global.asax]
<%@ Application Language="C#" %>
<script RunAt="server">
    void Application_Start(object sender, EventArgs e) {
        Application["UsersLoggedIn"] = new System.Collections.Generic.List<string>();
    }

    void Session_End(object sender, EventArgs e) {
        // NOTE: you might want to call this from the .Logout() method - aswell -, to speed things up
        string userLoggedIn = Session["UserLoggedIn"] == null ? string.Empty ? (string)Session["UserLoggedIn"];
        if (userLoggedIn.Length > 0) {
            System.Collections.Generic.List<string> d = Application["UsersLoggedIn"] 
                as System.Collections.Generic.List<string>;
            if (d != null) {
                lock (d) {
                    d.Remove(userLoggedIn);
                }
            }
        }
    }
</script>   

Answer 2

I've implemented this where when a user logs in it sets a flag in the DB that they are logged in. It was an int representing how many times they are logged in. We allowed two. Then would just check that when validating the user.

Answer 3

You can, by keeping track of users logged in, in your global.asax by using the Application object.

In the Session_Start method or your login method, you can check if the user is stored in the Application object.

On the Session_End method or in your logoff method, you'll need to remove the user from the Application object.

Answer 4

Don't store it in the DB if you cannot identify user logout event (they may click logout, close the tab, close the whole browser, or may just shutdown the computer...). Use session to do the same checking instead.

Answer 5

You could store the SessionID of a user in a database. On each login, store a combination of Unique username and SessionID into the database. In the masterpage you include the query to the database, to check wether the last login for the currently used username was from the same session. If not, abandon the session and redirect to the login page.

The behaviour I posted should log out the second user. You may change the Session.Abandon to your desired behaviour