Allow only one concurrent login per user in ASP.NET

Hiren Dhaduk picture Hiren Dhaduk · Jul 7, 2013 · Viewed 51.1k times · Source

Is it possible to allow only one concurrent login per user in ASP.NET web application?

I am working on a web application in which I want to make sure that the website allows only one login per user at a time. How to check that the current user already logged in or not?

Please suggest proper login method by which we can handle this problem. I think we should use SQL Server session state to handle this problem. What do you suggest?

I thought of one solution for it. We can do something like:

  1. When the user logs into the system then we insert session id in user column. (We will use database session so that we can get all session related data like isexpired, expiredatetime etc easily).

  2. When the same user tries to login a second time then we will check for that session id column and check that session is already expired or not. If session is not expired then we will not allow user to login.

  3. Update user session ID every time when user logs out.

Please suggest whether this is the proper way or not.

Answer

Mike Marks picture Mike Marks · Jul 8, 2013

Please refer to:

When the same user ID is trying to log in on multiple devices, how do I kill the session on the other device?

Out of the box, .NET does not support this. .NET allows for concurrent log-ins, as I'm sure you're aware.

I had this same exact requirement, and came up with a pretty slick solution, demonstrated in the link above. In a nutshell, my requirement was to only have one user log-in happening at one time. If that same user ID tried to log in elsewhere, then it killed the session for the first log-in by checking for an existing log-in under a different Session ID (this enabled the user ID to be logged in from multiple instances of their web browser on their computer [same Session ID], which is common, but not from a different computer [different Session ID] (possibly due to someone that stole their credentials, for example)). Through modification of the code you could probably change the behavior of this - i.e., prevent the second log-in attempt instead of killing the first log-in that's already active and in use.

Of course, it may not fit 100% to what you're needing, so feel free to modify it to fit your needs.