Limit only one session per user in ASP.NET

Question

Is there anyway to detect when a user logins if there is already another session with the same username, and block him from logging in again or send him a message?

Answer 1

You could always implement the events in global.asax.

Implement Application_Start() to setup a System.Collections.Dictionary (or at your preference) and store that in the Application[] collection, when a user logsin, add the username. Remove from the collection in Session_End(). Remember to use the 'lock' keyword while working with the collection :)

Have fun!

Example:

[page.aspx]
public partial class page : System.Web.UI.Page {
    protected bool Login(string userName) {
        System.Collections.Generic.List<string> d = Application["UsersLoggedIn"]
            as System.Collections.Generic.List<string>;
        if (d != null) {
            lock (d) {
                if (d.Contains(userName)) {
                    // User is already logged in!!!
                    return false;
                }
                d.Add(userName);
            }
        }
        Session["UserLoggedIn"] = userName;
        return true;
    }

    protected void Logout() {
        Session.Abandon();
    }
}

[global.asax]
<%@ Application Language="C#" %>
<script RunAt="server">
    void Application_Start(object sender, EventArgs e) {
        Application["UsersLoggedIn"] = new System.Collections.Generic.List<string>();
    }

    void Session_End(object sender, EventArgs e) {
        // NOTE: you might want to call this from the .Logout() method - aswell -, to speed things up
        string userLoggedIn = Session["UserLoggedIn"] == null ? string.Empty ? (string)Session["UserLoggedIn"];
        if (userLoggedIn.Length > 0) {
            System.Collections.Generic.List<string> d = Application["UsersLoggedIn"] 
                as System.Collections.Generic.List<string>;
            if (d != null) {
                lock (d) {
                    d.Remove(userLoggedIn);
                }
            }
        }
    }
</script>   

Answer 2

Don't store it in the DB if you cannot identify user logout event (they may click logout, close the tab, close the whole browser, or may just shutdown the computer...). Use session to do the same checking instead.

Answer 3

You can, by keeping track of users logged in, in your global.asax by using the Application object.

In the Session_Start method or your login method, you can check if the user is stored in the Application object.

On the Session_End method or in your logoff method, you'll need to remove the user from the Application object.

Answer 4

You could store the SessionID of a user in a database. On each login, store a combination of Unique username and SessionID into the database. In the masterpage you include the query to the database, to check wether the last login for the currently used username was from the same session. If not, abandon the session and redirect to the login page.

The behaviour I posted should log out the second user. You may change the Session.Abandon to your desired behaviour

Answer 5

I've implemented this where when a user logs in it sets a flag in the DB that they are logged in. It was an int representing how many times they are logged in. We allowed two. Then would just check that when validating the user.