How to check if user is already logged in?

Question

I've got an ASP.NET site. I want to forbid user to log in with the same login from two computers. If someone is logged in and somebody else wants to log in with the same login it should show him a message that this user is already logged in. I don't have any Forms Authentication or something like that. On button "LOG IN" I just connect to the database and check if user and password are valid.

I thought that when user is logged in, I would update his status in database and when somebody else will try to log in, I will check in database if this user is already logged, but it isn't good idea, because when user doesn't click button "LOG OUT", it will not update his status in database that he's inactive.

Is there any other way to do this without Forms Authentication and something like that?

Answer 1

You could have the user last_activity_time file in your database which is updated whenever a logged in user access any of your page. You can now have a window e.g. 30 mins (a period of time when it is valid that the user is logged) comparing the last_activity_time with the current time, if the time difference if greater than the required window (30 mins), you consider the user is inactive

Answer 2

There is no perfect solution

You can't reliably solve this problem, but you can come close. There will be edge cases where a legitimate user will be frustrated by this restriction.

What you can do

The ASP.Net membership provider keeps track of the last time that a given user was seen, meaning the last time they were logged in and accessed a page. You can follow a similar strategy, also noting the IP address of the user and perhaps the user agent of the browser.

If you see two different IP addresses and/or user agents for the same login credentials within a short window (say, 20 minutes) you can assume they are most likely from different devices.

Be aware

As I said, there are edge cases where you will be wrong. For example, someone on a mobile device will frequently get a new IP address.

Answer 3

Honestly, it would be easier to let Microsoft take care of the details with the forms authentication but here is how I would do it if I was "challenged" to not use forms authentication. (There are other ways, this is just one that I like).

• On log in I would create session cookie for the user (say 10 mins), this cookie would contain an id to a table where I would store their userid, the login time, and the ip they referenced from. I would include this information in the cookie too (with a simple encryption), on every page load I would update the cookie to last an additional 10 mins and check the credentials against the database. This means the session would time out if the user did not access the web site every ten mins. This would also allow you to know when the user was logging in from another location.

Side note: Almost all of the above is taken care of for you if you use a custom authentication for windows forms. Using the windows forms authentication means you don't have to worry about the time out and cookie management.