0

I have a requirement in which if a user log in to application, any session with same user should be logged off i.e. if same user tries to login to application from different IP, then the first session should be closed when user logs in.

Ankit
  • 6,388
  • 8
  • 54
  • 79

4 Answers4

2

Unfortunately, the nature of ASP.NET means that you cannot tell if a user is logged in already. Sure you can log the fact a user has accessed your application, but there is no way to tell that they have abandoned their old session, perhaps by closing their browser, and that their new login is therefore valid.

you have to implement your own method

have a look at the below:

http://geekswithblogs.net/Frez/articles/preventing-a-user-from-having-multiple-concurrent-sessions.aspx

Massimiliano Peluso
  • 26,379
  • 6
  • 61
  • 70
  • [Get a list of all active sessions in ASP.NET](https://stackoverflow.com/questions/8854176/get-a-list-of-all-active-sessions-in-asp-net) – Sen Jacob May 21 '18 at 09:40
0

Please refer to:

When the same user ID is trying to log in on multiple devices, how do I kill the session on the other device?

You'll have to implement your own solution, as @Massimiliano said above.

I had a similar requirement, and came up with a pretty slick solution, demonstrated in the link above. In a nutshell, my requirement was to only have one user log-in happening at one time. If that same user ID tried to log in elsewhere, then it killed the session for the first log-in by checking for an existing log-in under a different Session ID (this enabled the user ID to be logged in from multiple instances of their web browser on their computer [same Session ID], which is common, but not from a different computer [different Session ID] (possibly due to someone that stole their credentials, for example)). Through modification of the code you could probably change the behavior of this - i.e., prevent the second log-in attempt instead of killing the first log-in that's already active and in use.

Of course, it may not fit 100% to what you're needing, so feel free to modify it to fit your needs.

Community
  • 1
  • 1
Mike Marks
  • 10,017
  • 17
  • 69
  • 128
0

if you store the latest used IP in the database all the sessions could check at the next page load or any handler calls if their Request comes from the same IP or not and if not you can call Session.Abandon();

Davide Piras
  • 43,984
  • 10
  • 98
  • 147
0

I don't think you will be able to log them out until they actually try do something, i.e. make a new request.

My suggestion would be to always store the "last session_id used" along with a timestamp with each request a user makes.

If the next request that comes in for a particular user has a different session_id, you know they just logged in again, so you should no longer accept requests from the old sessionid and you can delete their session and then redirect them to an error page

E.J. Brennan
  • 45,870
  • 7
  • 88
  • 116