what is the simplest way to block users to log on to a webapplication twice

i have users who can logon to my site. I don't use the asp.net provider (i have my own user storage) but do use forms authentication.

No i want to block users from log on twic开发者_JAVA百科e to my app.

Now what is the simplest thing to accomplish this?

I thought about an extra field in the database in the user record

but is there something simpler? is there a sort of 'session' for the entire application where i can remember who is logged on (and which is not flushed at a random time)?

maybe in the cache (but the cache is sometimes flushed)

i've seen an example where a file with the username was written to disk (and removed when logged out)

EDIT:

Good question was: what do you mean with logon twice. I mean when a user logs on on another computer or when another person logs on with the same credentials

The Session object is indeed the best option, in MVC and classing ASP.NET.

The session will by default time-out after 20 minutes of inactivity by the user, so they will be "automatically" logged off after that (configurable) period.

In your code simply ensure that the System.Web assembly is referenced, and you can use the Session object.

Update (following question update):

For tracking login status across computers/browsers, you will need to a way to track a "valid" login.

A good way about it is to issue a "ticket" - this is a token that you can store in your database (against the user record) and that the browser returns on each request (a cookie is a good way to return it).

When a user logs in, you issue a ticket. Whenever this ticket does not match the one in the cookie, you log them out. Only the browser/computer with the current ticket will be logged in.

"File with the username written to disk" is basically session control with a twist.

What do you really mean with login twice?

If you use cookies to know if they are logged in, then simply don't show them the login form if cookie exists (and cookie content is valid ofcourse).

And Session will be flushed when it expires (and it will sooner or later).

You can use the HttpApplicationState for this, which is an application wide equivilent of the session state and is accessible via HttpContent.Application from within a Controller.

Assuming you mean two different people using the same credentials to login at the same time, one practical way implement this in ASP.NET is:

1: Set the FormsAuthentication Timeout and SessionState Timeout to the same value eg: 30min

2: As part of your login code store the UserId, SessionId, LastActiveOn and IsEnded eg: UserSession in a DB table or in memory cache/server.

3: In your Global.asax in Authenticate_Request, do your duplicate login detection by checking your UserSession record, if you have multiple records for the current user eg: LastActiveOn within Now-Timeout and where IsEnded=false you have duplicate logins.

You also need to update the LastActiveOn date for the current user's UserSession record on every request (do this async so it doesn't block).

4: At logout remember to call Session.Abandon() and set your IsEnded=true value for the current user's record in UserSession record. You should also set IsEnded=true for all other user's UserSession records where LastActiveOn is older then Now-Timeout.

The first tricky thing you have to handle is when the user closes their browser without logging out and they then try to login again within the timeout period. The easiest way to handle this is to End all other sessions for that user at login. This means the newest login stays and the earlier ones are kicked out. If you want the opposite behaviour it's much harder, you will need to use on Session_End or js ajax call on browser close (which are unreliable).

The second tricky thing you have to handle is persistent login, if your site allows the forms authentication cookie to be stored permanently you need to also use Session_Start to create your new/current UserSession records as well as at login.

If you don't want to rely on SessionState (eg: load balanced web servers) you could instead create a unique id at login and store it somewhere like in the FormsAuth cookie data or in an in shared memory cache server (if you run memcache, redis, velocity or something like that) and use that instead of the SessionId.