Is there anyway to detect when a user logins if there is already another session with the same username, and block him from logging in again or send him a message?
Asked
Active
Viewed 3.6k times
5 Answers
17
You could always implement the events in global.asax.
Implement Application_Start() to setup a System.Collections.Dictionary (or at your preference) and store that in the Application[] collection, when a user logsin, add the username. Remove from the collection in Session_End(). Remember to use the 'lock' keyword while working with the collection :)
Have fun!
Example:
[page.aspx]
public partial class page : System.Web.UI.Page {
protected bool Login(string userName) {
System.Collections.Generic.List<string> d = Application["UsersLoggedIn"]
as System.Collections.Generic.List<string>;
if (d != null) {
lock (d) {
if (d.Contains(userName)) {
// User is already logged in!!!
return false;
}
d.Add(userName);
}
}
Session["UserLoggedIn"] = userName;
return true;
}
protected void Logout() {
Session.Abandon();
}
}
[global.asax]
<%@ Application Language="C#" %>
<script RunAt="server">
void Application_Start(object sender, EventArgs e) {
Application["UsersLoggedIn"] = new System.Collections.Generic.List<string>();
}
void Session_End(object sender, EventArgs e) {
// NOTE: you might want to call this from the .Logout() method - aswell -, to speed things up
string userLoggedIn = Session["UserLoggedIn"] == null ? string.Empty ? (string)Session["UserLoggedIn"];
if (userLoggedIn.Length > 0) {
System.Collections.Generic.List<string> d = Application["UsersLoggedIn"]
as System.Collections.Generic.List<string>;
if (d != null) {
lock (d) {
d.Remove(userLoggedIn);
}
}
}
}
</script>
Fredrik Johansson
- 3,477
- 23
- 37
-
I tried this solution, but I can't access Application on Session_End because my HttpContext.Current is null. How can I access it? – Inbal Oct 30 '13 at 15:22
-
@FredrikJohansson: If the user close the browser without clicking in LogOut, and again try to login with same username, the user will not be able to login. How can we fix that? – nightfire001 Mar 12 '15 at 13:00
-
@Kushal this is pretty old code, but I'd modify it at "// User is already logged in!!!" to do "Session["UserLoggedIn"] = userName; return true;" - that should solve it. – Fredrik Johansson Mar 18 '15 at 19:30
-
@FredrikJohansson Doing as per your comment above will allow multiple session and that is not what we want. Everything is fine in your code the only problem is when browser is close then the session of that user should be cleared. Currently I have used
but I have to wait 1 minute before session is expired and user relogin again. – nightfire001 Mar 23 '15 at 13:06 -
1@Kushal ah I see, and that's the whole point of the code :) I guess you could also save the IP? of the user logging in to the UsersLoggedIn collection (make it a
collection or something), and the allow login again if that match? Or perhaps add some nifty – Fredrik Johansson Mar 24 '15 at 12:24 -
Whats about ***performance*** when there are more 4000 users for the website ? – Kiquenet Jun 22 '16 at 10:28
-
one worst condition I found here after implementation is, If user (for the first time) try to login but provides and invalid password gets the error for invalid password and now if he tries to login providing the valid credentials he is not allowed here as it will show him that he is already logged in from another system (this username is existed in list of user as he tries to get login on first term). @Fredrik Johansson – Rameez Javed Mar 05 '20 at 04:37
3
I've implemented this where when a user logs in it sets a flag in the DB that they are logged in. It was an int representing how many times they are logged in. We allowed two. Then would just check that when validating the user.
nportelli
- 3,934
- 7
- 37
- 52
-
And how do you determine If a user logged out? There are also connections that time out. So you need atleast a routine running somewhere to decrease that integer – citronas May 27 '10 at 15:37
-
Yes that was an issue. I believe we had javascript running congruent to the session timeout and it would ask if you wanted to stay logged in, if no answer then it would decrease the count. Also had the same thing in the session end event. We also had a job that reset the count's to 0 in the middle of the night. – nportelli May 27 '10 at 15:46
2
You can, by keeping track of users logged in, in your global.asax by using the Application object.
In the Session_Start method or your login method, you can check if the user is stored in the Application object.
On the Session_End method or in your logoff method, you'll need to remove the user from the Application object.
Ed B
- 6,028
- 3
- 26
- 35
-
I tried this solution, but I can't access Application on Session_End because my HttpContext.Current is null. How can I access it? – Inbal Oct 30 '13 at 15:22
1
Don't store it in the DB if you cannot identify user logout event (they may click logout, close the tab, close the whole browser, or may just shutdown the computer...). Use session to do the same checking instead.
Bolu
- 8,696
- 4
- 38
- 70
0
You could store the SessionID of a user in a database. On each login, store a combination of Unique username and SessionID into the database. In the masterpage you include the query to the database, to check wether the last login for the currently used username was from the same session. If not, abandon the session and redirect to the login page.
The behaviour I posted should log out the second user. You may change the Session.Abandon to your desired behaviour
citronas
- 19,035
- 27
- 96
- 164