How to tackle this session problem in ASP.NET,VB.NET?

Question

How to tackle this session problem in ASP.NET,VB.NET?

The following requirement are there:

When the authorized user logs into the system that user is not allowed to login from another computer or in different browser other than that user is using right at this time.

The remedy we applied was: We have kept "Is_Loggedin" as a column with data type "bit" in a mst_vendor as a table name. When a user logs in we set the flag, Is_Loggedin, to "1" and each time when someone tries to log in using this account, the system is showing the error "The user is already logged in.".

When the user logs out it turns to "0" as the logout procedure calls as soon as the user clicks the log out button.

Problem scenario:

1. When the user closes the browser the flag remains the same, that is, "1".

2. When power gets off, it remains the same as "1".

3. If the session timeouts after a predefined value it remains the same.

4. There may be different scenarios other than this.

Is there any way so that we can store this internal flagging for the user's login status using the application object?

It may improve efficiency of the system and also eliminates the above problematic scenarios.

Answer 1

You should use the Global.asax file and use the Session_End function.

Session_End: Fired when a user's session times out, ends, or they leave the application Web site .

Answer 2

Store a datetime as another column next to the bit, and update it each and every time the user requests a page.

When a new user comes along with the same credentials and the bit is "1" you can check the datetime, and if it was a while ago you can be certain the user is no longer there. So let the login go ahead.

Answer 3

You could keep a pulse going in script, and when the pulse times out, consider the user finished with that session.

The benefit to this is that you can tell the difference between the user sitting idle on the site and the user leaving the site.

Answer 4

Yeah, a script would be a good idea. Just set the session timeout to be 5 minutes instead of 20 and then write a method into session.end in the global.asax file that updates the database accordingly.

Answer 5

From a very top level view, here is what you can do

• Use Cache with SlidingExpiration.

• Everytime a user attempts login, check the cache with his username as the key. If an entry exists in the cache, you can say that user is already logged in and deny login.

• If the key is not found, allow login and create a new key in the cache as the username and set the sliding expiration time. (This should be carefully chosen as this would be the duration, the user wouldnt be locked out after the browser is closed and user attempts to relogin.)

• In the Application_PreRequestHandlerExecute handler in Global, check if the user is currently active (you can use sessions for this), reset the sliding expiration time for the user. This way, with each page request the cache expiration time would be reset.

• If the user closes the browser and moves off, the cache would expire after the set period of time, and would free the user to log in again.

• if in case the user attempts to login again before the cache expires, the user would have to wait for some time to let the cache expire.

• if the user logs off properly, you can remove the cache entry on the logoff event such that user doesnt have to wait to relogin.

The Sliding expiration timeout can be synced with session timeout to emulate the actual session timeout for the application.

With this approach, you would also save on a lot of database round trips to update/check the user status and this would work irrespective of the hosting enviornment or the session modes.