Uniquely identify machine in web application using asp.net c#

Question

I have one login page, user can use any machine while login into that page for the first time. once the user logged in for the first time, i need to restrict that user to not login into another machine. So user need to use only one machine that's used for the first time login.

I tried to get the client side mac address, but i can't able to get client side mac address in my website. Is there any other way to identity a machine uniquely?

Answer 1

I believe you want a user logged in on the website only in one session at any given time. Problem is that you can't know for sure when the user leaves, if he doesn't logout using the logout button.To fix this you have to have a timeout. I used a text file on the server in an application and it works.

Login button:

    protected void btLogin_Click(object sender, EventArgs e)
    {
        if (check(txtPass.Text) && check(txtUser.Text))
        {
            var user = new UserManager().login(txtUser.Text, txtPass.Text);
            if (user != null)
            {
                // this is the test you're looking for, the rest is only context
                if (!FileManager.alreadyLoggedIn(user.email))
                {
                    FormsAuthentication.SetAuthCookie(user.email, false);
                }
                else
                {
                    //throw error that it is already connected in some other place
                }
            }
            else
            {
                    //throw error that login details are not OK
            }
        }
    }

In a class two static methods:

    //you have to call this function at every request a user makes
    internal static void saveUserSessionID(string email)//email or any unique string to user
    {
        var dir = HostingEnvironment.MapPath("~/temp/UserSession/");// a folder you choose
        if (!Directory.Exists(dir))
        {
            Directory.CreateDirectory(dir);
        }
        string path = dir + email + ".txt";
        File.WriteAllText(path, HttpContext.Current.Session.SessionID);
    }

    // if a request has not been made in tha last 4 minutes, the user left, closed the browser
    // the test checks this only on a real server, localhost is not tested to be easy for the developer
    internal static bool alreadyLoggedIn(string email)
    {
        var file = HostingEnvironment.MapPath("~/temp/UserSession/" + email + ".txt");
        return File.Exists(file) && File.GetLastWriteTime(file).AddMinutes(4) > DateTime.Now && !HttpContext.Current.Request.IsLocal;
    }

Obviously this is from another application, you can only take the idea and implement it in your own application. You can't just copy paste it.

Answer 2

if its intranet webapp, then you can enforce windows authentication - and keep a list of logged in users, in the database, with a timestamp of when the logged in user will automatically logout after the timestamp period.

Alternatively, use a cookie in forms authentication to do just that. But in any case, you will need the list of logged in users, and automatically log the user off, if he is on another machine.

More so, you can get the client's IP address and go from there, but its not reliable as it could be of an ISP. Its tricky, but cookies seems to be the simplest way of doing this.

However, a good solution would be to do it like IRC does, to keep track of logged in users. It sends a PING to the client, and expects the client to return a PONG, at different intervals of time. If the PONG is not received by the client, the IRC server automatically disconnects the user. Try this with something like SignalR. The downside of this is, if the user closes the browser and a PING request comes in, it will bounce back and the client will be disconnected as he/she will not be able to send a PONG request back.

Answer 3

For asp.net it's not possible to get the mac address of the client. You need to have some kind of windows application for that, that runs on the user's system.

A permanent cookie with a with a GUID might also be a solution.

Another solution might be to look up the servervariables when they make a request you will have Request.ServerVariables["REMOTE_ADDR"]; which would probably be the internal IP if the app is internal/intranet. There is also REMOTE_HOST. Sometimes these are filtered off by proxies/firewalls/nat but hopefully not in your situation.

Hope it helps!