locked
Killing a remote session from a different session. RRS feed

  • Question

  • User93267240 posted
    I need to allow for only one ASP . NET session per user at any one time. What I need to do is if a user has an application opened in one browser session and they log into the same application in a different browser the first browser session, or login, needs to be killed so that new login is the only active session. Has anyone done this before?
    Sunday, November 18, 2018 3:13 PM

Answers

  • User475983607 posted

    How does identity work in work in Windows authentication?

    Use windows auth as an external login.  

    Another option is creating a cookie where the username is the key and a GUID is the value.  Also store the username and GUID value in a DB table.  If the user has the cookie but the GUID value does not match then do not allow the user to access the site. 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, November 19, 2018 12:31 PM

All replies

  • User-943250815 posted

    You did not specify what you are using, but here is what I do

    I´m using Webforms with Membership and LoginView Control, this what I do to not allow users be logged more then one time.
    When user try a second login, existing session is logged out, and user have to loggin again

    On Login page and using LoginView control, at LoggedIn event, register SessionID

    If zMultilogin = False Then
          'Afeter first login , to prevent multiple sessions, whe have to save SessionID on Cache, this value will be compared on second login
          Dim zLogin As Login = LoginView1.FindControl("Login1")
          Dim zUsuario As MembershipUser = Membership.GetUser(zLogin.UserName)   'Get current Username
          Dim zID As String = zUsuario.ProviderUserKey.ToString                  'Get Priveder UserKey
          'Create a Session variable, just to fix Session, so it does not keep changing on each page load      Session("dfe") = "#dfeloggedin#" 'Use any name and any value, it is just to prevent Session value change on each page load
          'Register on Cache the SessionID value, using ProviderUserKey of user
          System.Web.HttpContext.Current.Cache(zID) = Session.SessionID
    End If

    On PageLoad verify if Current SessionID is same, if not Logout existing Session and redirect to Login page

     If zMultilogin = False Then ' If Multilogin is not allowed
            'If same user is trying another session, force logoof current session
            Dim zSessionID As String = System.Web.HttpContext.Current.Session.SessionID
            Dim zContext = System.Web.HttpContext.Current
            Dim zUser = Membership.GetUser
            'Veify is user is authenciated and if SessionID is same stored on cache
            If zContext.Request.IsAuthenticated AndAlso Not zContext.Cache(zUsuario.ProviderUserKey.ToString) = zSessionID Then
              FormsAuthentication.SignOut()     'Logout current (existing) session
              Response.Redirect("~/Login.aspx") 'Redirect to login page
            End If
          End If
    

    Sunday, November 18, 2018 7:11 PM
  • User93267240 posted

    I saw something like that before but I'm using Windows authentication. I'm not using Forms authentication. This is the problem. Also it appears you are comparing the session id to the current browser session. How do I compare it to a browser session on another machine?
    Sunday, November 18, 2018 7:44 PM
  • User475983607 posted
    It’s simply not possible given how windows auth works. You’ll need to convert to form aurh or use identity.
    Sunday, November 18, 2018 11:43 PM
  • User93267240 posted
    How does identity work in work in Windows authentication?
    Monday, November 19, 2018 2:09 AM
  • User475983607 posted

    How does identity work in work in Windows authentication?

    Use windows auth as an external login.  

    Another option is creating a cookie where the username is the key and a GUID is the value.  Also store the username and GUID value in a DB table.  If the user has the cookie but the GUID value does not match then do not allow the user to access the site. 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, November 19, 2018 12:31 PM
  • User-943250815 posted

    Also it appears you are comparing the session id to the current browser session. How do I compare it to a browser session on another machine?

    Every time you load on different browser or different machine you get a new SessionID

    Monday, November 19, 2018 2:23 PM