开发者

Prevent multiple logons for a single user in ASP .Net

I am looking at how best to prevent a single user account logging on multiple times in a webforms application. I know that MembershipUser.IsOnline exists, but I've read a few forum and blog en开发者_如何学Ctries suggesting that this can be unreliable, particularly in scenarios where a user closes a browser (without logging out) and attempts to logon with a different machine or browser.

I looked at implementing a last past the post type system; when a user logs on older users are simply kicked off. It seems that FormsAuthentication.Signout() only works for the current user.

Am I missing a trick, is there a better way to prevent the same username logging on from multiple different locations?


I had this same problem recently and here is how I solved it. I put a value into the Cache that expires after X minutes. In my code I have an AJAX callback every Y minutes (y

When a user tries to log on it checks first to see if there credentials are valid. If they are it then goes and checks to see if the cache value for that user exists. If it does I know that there is someone logged on with these credentials. I then allow the user to either Cancel or Log the Other user out. If they click Log the other user out the cache value is changed to the new value and the original user is redirected to the login page the next time they have an AJAX callback described above. Overall it works pretty well with no complaints from our user.

Several Notes on this technique:

  1. You cannot use SessionID as suggested above because it changes each time a session variable is called depending on your setup. We ran into this face first on our first attempt to make this work.

  2. You can have two users logged in for Y minutes before one gets booted out so choose your times wisely.

  3. If a user tries to login before the cache expires (say after closing the window) they will get the message that another user is logged in.
  4. When setting your Cache Value you cannot use just numbers as they conflict with some internal ASP.NET stuff. Make sure you add a key to the start of the value.


The fundamental problem is that the web is notionally stateless - once the server has sent the required content to the browser the connection between the client and the application on the server ceases until the next request. Now we're able to create an illusion of state by various means so that we can identify a user as logged on for the duration of a session but what that actually means is that when a request is made to the server we test the information we're provided with and then decide whether the user is (still) logged on.

What this means is that you are limited in terms of mechanisms for enforcing a log-out requirement - the user might forget and close the browser or move on to something else or the browser might die, their session might time out (because of a long phone call), the network connection might die, etc, etc but the only knowlege you will have of this is an abscence of requests from the client not a positive indication that something has or hasn't happened.

The upshot of this is that the "best" - so far as I'm aware - that you can achieve is to track the session that the log-on is associated with so that when a request is made and you are deciding whether that user is logged on you compare the session id for the current request with that for the last time the login process occurred at a session start and if they are different take appropriate action i.e. sign out the current user and force them to log in again.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜