ASP.NET: How to prevent opening same site a few times in parallel?

Question

I'm a newbie in ASP and I've encountered worst developer nightmare: I've received fired worker huge ASP.NET project and I must make some changes on it. One of the changes is to prevent opening same site few times on one Active Directory login (different tabs, browsers, etc...) As I've noticed that app is using session. Any ideas to use session to prevent multiple instances of the same site?

Answer 1

Here is an idea. Use a hidden field with GUID which would be randomly generated by server for each page load. When a request comes to the server it checks if GUID coming is what was generated last time. If it is different or empty (while session is alive) - redirect to some page saying access denied (no new GUID here). If it is correct, serve requested page. Small problem with this would be that if someone closes browser and reopens it he/she would get access denied when trying to use your app again. To minimize that you need to lower session timeout to 1 minute and use AJAX asp:Timer to keep session alive. Remember to exclude keep alive calls (and any other AJAX calls) out of GUID generation/verification pipeline. Of course end of session resets the process. Also it would be good to encourage users to properly log out.

This is relatively simple solution to implement although it is weaker in level of protection than permanent connection. Should be enough for non-technical end users though - depends on your "audience". But even for someone who knows about the mechanism, it would make using two "instances" of application quite difficult.

Do it if you really need to. Generally I agree with Marc that web apps should not be restricted this way. Maybe it is a requirement from someone who can be educated?

Answer 2

You cannot prevent the url from being loaded in multiple browsers or tabs at one time, since this is a client-initiated process.

You could implement a persistent connnection (as suggested by Hasan Khan) to ensure that only one browser window can be active at a time. I would add on to that that when a new window is opened up, you could warn the user that they already have an open connection. If they choose to use the new connection, then you send a message down to the old connection (different browser, tab, etc) that will cause it to clear the browser window for that user.

Answer 3

You just need to create a persistent connection from each page. If browser navigates from one page to another on a single tab then you'll have a single persistent connection at all times. If you get two parallel persistent connections from same user then the user opened a new tab.

In the master page footer add a script that does an ajax call to the server on a page that doesn't end its response (Like long polling). If another ajax call comes from same user while the last one is connected then this is a second tab.

You might want to checkout SignalR for persistent connection thing. It should be able to switch between web sockets or long polling based on browser capabilities.