2

I am working on a feature where my application will not allow multiple active login from same user. When a user logs in from a new machine/browser, the previous login is invalidated and user is redirected to login page on the old machine/browser.

I am able to achieve this by:
1. storing a unique sessionid for logged in user in the HttpApplicationState object
2. Whenever user logs in this session id is updated in the object so there is always the most recent session id.
3. This session id is also stored on client side in a cookie
4. For every request the client makes I compare this cookie value with the Application value and if different I log the user out.
5. To compare this session id in every request I have create a HttpModule object for event OnAuthenticated.

My question is, can I somehow abandon the Session for which I am logging user out?

manurajhada
  • 5,284
  • 3
  • 24
  • 43
M-J
  • 81
  • 5

3 Answers3

2

You could implement IRequireSessionState in a temp HttpHandler, which would give you the current session. Here's a SO question/answer that provides the complete source.

Can I access session state from an HTTPModule?

Community
  • 1
  • 1
Chris Gessler
  • 22,727
  • 7
  • 57
  • 83
  • there is nothing to implement in IRequiresSessionState, it's just a marker interface. And AFAIR you can't use it for HttpModule, it's for HttpHandler – Antonio Bakula Jun 08 '12 at 11:50
  • @AntonioBakula - Check this out! http://stackoverflow.com/questions/276355/can-i-access-session-state-from-an-httpmodule – Chris Gessler Jun 08 '12 at 12:00
  • 1
    @M-J don't know how do you get this, but IRequiresSessionState was defined even in .NET 1.1 http://msdn.microsoft.com/en-us/library/system.web.sessionstate.irequiressessionstate%28v=vs.71%29.aspx – Antonio Bakula Jun 08 '12 at 12:00
  • @ChrisGessler I looked, and in most upwoted answer IRequiresSessionState is set to HttpHandler – Antonio Bakula Jun 08 '12 at 12:02
  • @AntonioBakula - That is absolutely correct! Look at how the HttpHandler is used in the HttpModule. – Chris Gessler Jun 08 '12 at 12:04
2

As an alternate, You can do the same by implementing custom logic..

  1. Maintain a table of currently logged in user.
  2. Whenever a user login successfully just insert a new row for this user along with his username/userId and sessionId.
  3. Check entry for every new login in this table, if exists just log out the user with previous session and replace the old entry with new sessionId, if not exists just do the #2 i.e. make new entry.
  4. Every time when user logged out just delete his entry from this table while destroying his session.
  5. Also delete the entry for users with default session timeout.

OR

  • You can do the same by managing table of user_login (user_id, login_status, session_id) with permanent entries of all users and just update its fields (login_status (true/false) and session_id (String)) instead of insertion/deletion.

First approach will have less number of rows in table but will increase insertion/deletion operation and the same will increase unique id of table very frequently.

Second approach has equal hits on DB as first cause of update operations but number of rows will be fixed equal to number of user of application.

manurajhada
  • 5,284
  • 3
  • 24
  • 43
0

You could use HttpContext.Current.Session and call HttpContext.Current.Session.Abandon() from HttpModule assuming that you will use Session in event that is called after Session object initialization, e.g. HttpApplication.PreRequestHandlerExecute.

Antonio Bakula
  • 20,445
  • 6
  • 75
  • 102
  • HttpContext.Current.Session is null when I use it in HttpModule instance, as it was null for HttpApplication.Session or HttpApplication.Contect.Session. It says that SessionState is not available in this context. – M-J Jun 08 '12 at 12:06