User1504148411 posted
We have a web application built with asp.net core, .net core 3.1, angular which uses asp.net core identity for user authentication management. We have a need to implement the below scenario:
"If user A is logged in (this is an open session) and user B logs in with the same credentials (this is the 2nd concurrent session), after user B passes MFA, we will send an email to the email address of this customer to notify them that someone else just
logged in. We will NOT end the session for the user A."
Our current implementation uses ASP.Net identity to authenticate users with Authentication Tickets being stored in cookies. Since authentication tickets are stored in cookies, the session is browser based, hence being able to track whether the user is logged
in with an ongoing open session is not possible with this implementation.
I was leaning towards using custom store for storing auth tickets on server side with either database / redis, and then tracking token expiration thereby determining an existing ongoing session. Am I thinking along the right direction, or are there other
mechanisms ? I would like some thoughts and suggestions.
