How to avoid multiple logins?

[lunargirrl]

Hello people,

I am trying to find solutions to avoid multiple logins of an user, If someone had the same problem and found a solution, please share the ideas with me, because all the ideas I had are complete uncessfull.

Tia,
Gis.

 

[DaZZleD]

you could try writing the session id in the database when the user logs in, and always verify that the session id of a user making a request corresponds to the one in the database marked next to it's id.

a login mechanism should allow a new login with the same user as the one that is supposed to be already authenticated but disallow simultaneous access. take a look at how MSN or YIM behave when first login from a location and then you login again from a different location...

--------------------------
"two wrongs don't make a right, but three lefts do" - the unknown sage

 

[lunargirrl]

hi DaZZleD thanks for your answer.

If I understood what you meant, you suggest me to flag my database with the userID and make a routine to verify (eg 5 in 5 sec) if the user is still logged-in, right?
When the user leaves the application i just update my table settin the flag to nothing or something else.
But, how can I handle if the user leaves the application closing it by browser.

Thats my biggest problem.

Thanks

:*
Gis.

 

[DaZZleD]

not really... look at this scenario:

the user with the id 135 logs in. in a table in the database i write the user id and the session id of the session i create for the user

on each subsequent request of the user i compare the session id that he uses with the one in the database next to his user id. if it matches, i return the requested resource, if not, i announce him that someone else already logged in with that username and password and that he should try to relogin before accesing the resource.

--------------------------
"two wrongs don't make a right, but three lefts do" - the unknown sage

 

[lunargirrl]

DaZZleD, I cant visualize what you wrote me exactly, do you mind to detail it a little bit more?

:*
Thanks,
Gis.

 

[DaZZleD]

on each login a session is created for that particular user. that session has an expiry period and is usually based on cookies, that's why when the user closes the browser, the session is also destroyed (the cookie becomes invalid).

each such session has a unique identifier associated with it. this identifier is stored in a cookie (if this is your choice) or can be passed from page to page in the url.

knowing that session ids are unique and generated by the server, you can use them to verify that two clients using the same credentials cannot browse the site at the same time.

how do you do this? just like i described above. when a user logs in, you write beside his id in the database the session id allocated to him by the server. on each request that he makes (each round trip, each time a page that should be protected from unauthenticated user is requested) you simply verify that the current session id (the one passed to the server either by cookie or as parameter in the url) is the same with the one you keep in the database for that user. if this is so, the user is allowed to see the page, otherwise he gets redirected to the login page.

if you still need help, please post.

--------------------------
"two wrongs don't make a right, but three lefts do" - the unknown sage

 

[Adhie]

Hi,

This issue I can solve it on classic .asp by using application variable. So let's say user1 log in, application("whoarelogin") as string will be contained user1 and who ever in current login status.

And other user login, will check this variable, if it is exist, so login request will be rejected.

When user1 logout or end of session, user1 info will be removed from application("whoarelogin").

But I'm beginner on .aspx I've tried not so stable, especially on expired session who those run away from application without logout, by closing the browser.
Any body can implement this on .aspx?

 

[ca8msm]

DaZZleD,

I'm interested to see how this would work as i would like to implement something similar. What would you do in the following scenario:

User A logs in with session ID 1
This is then written to the database and each time User A requests a page, the page checks to see if User A's session variable is 1 - if it is allow him to view the page.

Now what happens if User A logs or (or closes his browser)? The next time he vistis you site he will be the same user but he will have a different session ID and therefore the database will say that he shouldn't be allowed access.

----------------------------------------------------------------------

Need help finding an answer?

Try the search facilty (

http://www.tek-tips.com/search.cfm)

or read FAQ222-2244 on how to get better results.

 

[Ecreations]

theres your answer guys

http://www.eggheadcafe.com/articles/20030416.asp

Good luck

http://ecreationscanada.com

Note:Copying and Pasting is NoT Creativity.
What would you attempt to accomplish if you knew you would not fail?

 

[dragonwell]

I still like DazzleD's solution the best.

Here's a variation. You could have a "LoginCount" integer field in the users table. Each time the user logs in, increment that field by one and the put the number in a cookie and send it back to the client. Each request, check the number in the cookie against the count stored in the database. If it doesn't match it means another client has logged in with their ID. As an added bouns you now have a count of how many times each user has logged in, and does not require session to be enabled.