Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Restrict second user with the same credentials to login

Status
Not open for further replies.
manishsawant

manishsawant

MIS
Apr 11, 2002
193
0
0
IN
Hi,

I want to restrict the second user with the same loginid trying to login in to the application by displaying a confirm dialog box saying "User with the same login credentials already logged in, would you like to overwrite him." If the user clicks yes then he overwrites the first user and let him use the application. The first user should become invalid and shouldn't be able to use the application. The first user should be notified that he has been overwritten.
I have a web service which authenticates the user by checking his credentials in the database.
Has anyone done this before. I am using ASP.net 2.0 with SQL Server 2000.

Thanks,
Manish
 
Sort by date Sort by votes
So the user thats getting kicked out would enter some info, and when submitting the form, not be allowed because someone else logged in a few minutes ago?

Maybe a better username/password policy first? Seems would be easier to not let that second person log in at all, but the you'd have to make sure the first user logged out cleanly.

in a windows app, might be better, but a web app, not so much.
 
Upvote 0 Downvote
This is no small feat. It’s going to take some forethought, time and finesse to make this work in your specific application… but it is doable.

adamroof, makes a good point though... you may want to revisit the question of "Why?" prior to starting this project.

You would have to tack UserID's and some sort of identifier like a SessionID. You would have to check this or do something with it on login, every page load, logout, SessionEnd. You will have to terminate sessions from other sessions. What happens when two people start repeatedly overwriting each other? Some pages you won't care about the session or data submitted and in others you might have to do some things to tidy up. In short, you will need a big flowchart to design this. The more pages, the bigger the flowchart.


Senior Software Developer
 
Upvote 0 Downvote
Hi Guys,

Thanks for the responses. The Login web service is used by all the applications so even we have to use it. The Web service returns a GUID for every user which makes the user unique. What is in my mind is to create a key with a combination of userid+GUID and store it in a arraylist and store the arraylist in the application object. On every logon i get the arraylist from the application object and check if the user already exists in it. If not then i add the user in the ArrayList else i give the user a confirm box with the message. On every Session_end in the Global.asax i remove the key from the arraylist. As well as if the user closes the browser i give a AJAX call to remove the key from the application object.
The first user will be redirected to the login page from where ever he is.
Please let me know if you see any catch in this process.

Thanks,
Manish
 
Upvote 0 Downvote
Hi,

When ever the user try to do anything on the site it will be redirected. I need to check if he is a valid user or not. It is important to notify the user because the user will understand that someone is using his credentials and in case of malicious use the actual user can contact the helpdesk for immediate assistance.

Thanks,
Manish
 
Upvote 0 Downvote
If the goal is simply to detect and warn, then why include the mess of "overwriting"?

Log DateTime, UserID, ClientIP, Client MAC Address, SessionID (and/or whatever else). On Login, display the last time logged in with relevant data. Then also look for changes within a threshold of the current time such as 5min where multiple ClientIPs (etc) are used with the same UID and if present warn the user.

Your Comment of "When ever the user try to do anything on the site it will be redirected.". Page level security should always be implemented. Easiest way is to make all of your site's pages inherit System.Web.Page through a central page or class. Then in that central Page you can use the page load to check that the user is logged in and if not you have to redirect them immediately to the login page.


On the pot below, I have previously set out a similar method for this centralized inheritance.


Senior Software Developer
 
Upvote 0 Downvote
Hi,

Thanks for your advice. You say that after checking ClientIPs(etc) with the same UID warn the user. So after warning what will happen. Can both the users use the system? Or is it the latest user can access the system and the older user will be redirect to the login page which can be done using page level security.

Thanks,
Manish
 
Upvote 0 Downvote
Users should be able to use multiple instances of any ASP.NET application. Limiting them to just one is a crime. Trainers and Supervisors especially tend to move around.

I would let them both use it. You are inviting problems of all kinds in trying to kick out the other user, and there doesn't seem to be any real-world benefit in doing so. They can just kick each other out repeatedly.

If it is in fact an intruder, Warn them to change their password and contact the administrator. Maybe you could even provide a method for them to lock their account so that no further damage could be done by a potential intruder until an administrator can review what happened and unlock it once cleared. Also, you could write an admin console to boot a particular session.

It just seems to me that you may be overcomplicating a solution to a perceived problem… but any solution you build is up to you.


Senior Software Developer
 
Upvote 0 Downvote
Hi,

"They can just kick each other out repeatedly" makes sense to me. Today we just build the change password page. Its a investment banking site, so i wanted to be extra cautious. You are right the administrator should take care of the intruders. Let me discuss this with the technical heads and see what they say.

Thanks for your help.

Manish
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

AhmedAzizBarbary
  • Locked
  • Question
How to read data response body after success login razor page ?
Replies
0
Views
169
AhmedAzizBarbary
AhmedAzizBarbary
G12Consult
  • Locked
  • Question
Help with Json
Replies
2
Views
157
gmmastros
gmmastros
AhmedAzizBarbary
  • Locked
  • Question
How to pass list of checkboxes not checked on page model razor page?
Replies
0
Views
167
AhmedAzizBarbary
AhmedAzizBarbary
weberm
  • Locked
  • Question
How do I make a page with multiple AJAX custom controls?
Replies
2
Views
157
weberm
weberm
a6green
  • Locked
  • Question
How to configure AT&T / Avaya Definity G3 incoming ISDN trunk
Replies
2
Views
178
a6green
a6green

Part and Inventory Search

Sponsor

Back
Top