Allow only one concurrent login per user in ASP.NET

c# asp.net session session-state
Hiren Dhaduk picture Hiren Dhaduk · Jul 7, 2013 · Viewed 51.1k times · Source

Is it possible to allow only one concurrent login per user in ASP.NET web application?

I am working on a web application in which I want to make sure that the website allows only one login per user at a time. How to check that the current user already logged in or not?

Please suggest proper login method by which we can handle this problem. I think we should use SQL Server session state to handle this problem. What do you suggest?

I thought of one solution for it. We can do something like:

  1. When the user logs into the system then we insert session id in user column. (We will use database session so that we can get all session related data like isexpired, expiredatetime etc easily).

  2. When the same user tries to login a second time then we will check for that session id column and check that session is already expired or not. If session is not expired then we will not allow user to login.

  3. Update user session ID every time when user logs out.

Please suggest whether this is the proper way or not.

Answer

Mike Marks picture Mike Marks · Jul 8, 2013

Please refer to:

When the same user ID is trying to log in on multiple devices, how do I kill the session on the other device?

Out of the box, .NET does not support this. .NET allows for concurrent log-ins, as I'm sure you're aware.

I had this same exact requirement, and came up with a pretty slick solution, demonstrated in the link above. In a nutshell, my requirement was to only have one user log-in happening at one time. If that same user ID tried to log in elsewhere, then it killed the session for the first log-in by checking for an existing log-in under a different Session ID (this enabled the user ID to be logged in from multiple instances of their web browser on their computer [same Session ID], which is common, but not from a different computer [different Session ID] (possibly due to someone that stole their credentials, for example)). Through modification of the code you could probably change the behavior of this - i.e., prevent the second log-in attempt instead of killing the first log-in that's already active and in use.

Of course, it may not fit 100% to what you're needing, so feel free to modify it to fit your needs.

Related questions

Detecting Session expiry on ASP.NET MVC

I have built a shopping cart that uses Session State to keep the shopping cart data while the user is browsing the store. I have an issue where if I leave the browser window open for a long time on …

Read More
How to set session timeout in web.config

I have tried very hard but cannot find a solution on how to set session timeout value for in-process session for an ASP.Net web application. I am using VSTS 2008 + .Net 3.5 + C#. Here is what I wrote by myself to …

Read More
How to delete cookies on an ASP.NET website

In my website when the user clicks on the "Logout" button, the Logout.aspx page loads with code Session.Clear(). In ASP.NET/C#, does this clear all cookies? Or is there any other code that needs to be added …

Read More