locked
avoid multiple user with same credentials at a time,and calculate login and logout time , RRS feed

  • Question

  • User-1263702099 posted

    Hi Am developing ASP.net application in 3 tier Architecture ,having one login module ,i want a single user should be logged in at a time ,if he loged in with same credential on another machine ,the old session should clear,And i want to Calculate logged in time duration of perticular User.if he inactive for 30 minute session will expire and if browser is closed also clear session and count the time duration.

    Monday, February 20, 2017 12:54 PM

All replies

  • User475983607 posted

    Hi Am developing ASP.net application in 3 tier Architecture ,having one login module ,i want a single user should be logged in at a time ,if he loged in with same credential on another machine ,the old session should clear,And i want to Calculate logged in time duration of perticular User.if he inactive for 30 minute session will expire and if browser is closed also clear session and count the time duration.

    This question has been asked many many times in this forum.  Basically, there is no foolproof way to accomplish this task simple due to the stateless nature of the web.  Users are connected to a web server only during the brief time it takes to process a request.  Other than there is no reliable way to tell if a user stopped using the site.

    The traditional way to accomplish this task is to embrace how the web works.  In most situation a user is given a token when they login.  The tokens generally have a floating expiration, say 20 minutes.  If you log the time of each user request then you can assume if the last request was over 20 minutes old, the user is no longer using the site.  This introduces a margin of error but, in my experience, this error is perfectly acceptable.

    There are state management solutions you can implement which can detect a different machine.  For example, issue a non-expiring cookie that contains a GUID if the user's machine does not already have the cookie.  This cookie will follow the browser.  When the user logs in, save the GUID in the user's account record.  Along with updating the request time stamp on each request, compare the GUID inside the cookie with the value stored in the DB.  If the GUID is different either deny the login or deny the request depending on which user you want to cancel; the first user to login or the second.

    To increase accuracy implement a client polling framework or a always connected technology like SignalR.  Essentially. the more frequently you sample the more accurate the count. Otherwise, if the user does not log off the first machine and goes to a second machine, they will need to wait for the token to timeout.

    Monday, February 20, 2017 2:43 PM
  • User-707554951 posted

    Hi NatarajYashash,

    You Can do it by many ways, simple approach is

    1.Set one flag at the time of login into database.

    2.Check flag every time when you are sign in.

    3. Remove flag at time of logout.

    You also could use the way in the following link:

    http://www.dotnetfunda.com/articles/show/1083/restricting-user-to-login-multiple-times-using-same-credentials

    http://geekswithblogs.net/Frez/articles/preventing-a-user-from-having-multiple-concurrent-sessions.aspx

    https://www.codeproject.com/Questions/410002/How-to-avoid-multi-user-signin-using-same-credenti

    Best regards

    Cathy

    Tuesday, February 21, 2017 6:04 AM