control user's online status in asp.net

Question

I my application I do not want the same user name login at the same time,so I have and idea but I am not sure if it is correct.

1) When a user login,update the status(the "isOnLine" column in the user table in db) and save its login time in the session ,something like:

Inside the login method:

DateTime ltime=Datetime.now();

Dbservice.executeSql(update User set(isOnLine,lastLoginTime) value("1",ltime));

Session["logintime"]=ltime;

When another user try to login,check the table to see if the status of this user is logined or not.if yes,set the "isOnline" to "0",then he can login now.

2)In each protected page's Page_Onload() method,check if the login time in the session is equal to the time in db:

string logtime=Dbservice.executeSelect("select lastLoginTime from user where xxxxx").Rows[0]["lastLoginTime"];

if(!Session["logintime"]==logtime){

  //this user should offline now,redirect it to the login page

}

I wonder if my way is right or not?

Also,I have to write the check logic in each protected page's Page_onLoad method,so there are so many repeat codes,any ideas to avoid this?

Since all the page in our site is protected!.

Thanks.

UPDATE:

It is not allowed two user online at the same time,but it is allowed the later user with the correct pasword can force the former user offline. For example:

user1 login with "username=bill" and "password=000",then he is online now.

then user2 try to login with "username=bill" and "password=123",since his password is not valid,so his request is denied.

user3 try to login with "username=bill" and "password=000",since his password is valid,so he have the choice to make the user1 offline.

In this case,when the later user login sucessfully,but the session of the former user is also exist,so I have to check if it is online or not according the "logintime" in the session.

Answer 1

If you are not going to use web farm (or web garden) scenarios then you may use in memory structure to keep track of logged in users. For example, a static global variable of dictionary type (accessed in thread-safe way).

For general purpose robust solution, you need to keep this information in database (as illustrated by you). I haven't understood the purpose of checking against logged in time against session. For correct solution,

1. You need a database table that will track user's session. Important field will be last accessed time and active/inactive state.
2. At the time of login, if active session for same user exists in db then user cannot be logged in
3. A job to mark session inactive after specific time-out. This time-out has to be slightly larger (say x minutes) than web server session time-out.
4. Periodic refresh from application code to reset the last accessed value in db so that job will not mark session inactive.
5. Because db time-out = web server time-out + x, you can club the refreshes for x minutes, reducing your database trips. For example, say x = 3 minutes then all requests within 3 minutes will not modify last accessed time in database (there by reducing database trips). You can track last database update time in session state and in each request check against this value to see of database needs to be updated or not (i.e. current time > last database update + x then update last accessed value in database).

Third step (job) is optional because you may modify your check in #2 to see if login attempt is after n minutes (where n > session timeout) of last accessed time.

Answer 2

For the logic to check if user is already online, I may want to put it in the Global.asax Application_AcquireRequestState event since all pages is protected.