how to prevent the user repeat-login

Question

In my application,I do not want two user login with the same login name.

For example, user1 login with name "test1",then user2 try to login with "test1" too,but at this moment the user1's formauthentication does not expire,so the login of user2 should be denied.

I created a cache class to record all the active session:

public class SessionDb {
    private static Dictionary<string, HttpSessionState> sessionDB=new Dictionary<string, HttpSessionState>();
public SessionDb() {
}

public static void addUserAndSession(string name, HttpSessionState session) {
    sessionDB.Add(name, session);
}

public static bool containUser(string name) {
    //in fact,here I also want to check if this session is active or not ,but I do not find the method like session.isActive() or session.HasExpire() or something else.
    return sessionDB.ContainsKey(name);
}

public static void removeUser(string name) {
    if(sessionDB.ContainsKey(name)) {
        sessionDB.Remove(name);
    }
}

}

In the login.aspx.cs:

//check the name and password

if(checkNameAndPass(sUserName, sUserPwd)) {
    if(!SessionDb.containUser(sUserName)) {
        //let the user login
        Session["current_user_name"] = sUserName;
        SessionDb.addUserAndSession(sUserName, Session);
        FormsAuthentication.RedirectFromLoginPage(UserName.Text, false);
    }
    else {
        //
        this.error.Text=string.Format("user {0} have logined!", sUserName);
    }
}

Global.asax:

void Session_End(object sender, EventArgs e) 
{
    SessionDb.removeUser(Session["current_user_name"].ToString());
}

But it seems that it the Session_End() method is called at some time according the timeout setting in the sessionState.

Obviously I need the the SessionDb remove the related session when the authentication timeout.

Any idea to improve my code? or any other idea to implement my requirement?

I just do not want the user repeat-login(with the same name).

UPDATE:

BTW,I think my code also have some problems: I store the log in token using the Session,but how about if the formauthentication have timeout but the session does not?

Are you using Membership as well? Default or your own? you can use `Membership.IsOnline()` to track that. — balexandre, Apr 19 '11 at 10:13
I do not use the Mesmbership,since I do not think the user/roles management can be handled by the asp.net,also we use the Oracle database which means we have make a custom membershipprovider,since I try to use asp.net no more than one week,so I thinks using the membership is out of my ability. — hguser, Apr 19 '11 at 10:26
It's very easy to implement, even in oracle, and you can always use your own Membership Provider and if you want Roles Provider as well, so you don't need to use ASP.NET Membership Database schema and work with your own DB Structure --> see this for more info: http://www.asp.net/general/videos/how-do-i-create-a-custom-membership-provider — balexandre, Apr 19 '11 at 10:59
Thanks for your attention,but I wonder if some other ways to implement my requirement rather than the memebership? — hguser, Apr 19 '11 at 11:09
your implementation has several pitfalls that Membership covers out-of-the-box, that's why we prefer to use it rather than recreate the wheel. If you are happy with your implementation, you will have problems for example if someone closes the browser and while there is no session timeout the user tries to login from a diff computer (maybe the client computer where is at)... there are sooo many little problems. — balexandre, Apr 19 '11 at 11:12
In fact what confusing me most is that how do the asp.net know what information I need to create a user,I watch the video,and I found that it provide the "name,pass,email,quesion..",but sometime this is not enough or it is not necessary,also we can create new users and roles by asp.net administrator tool,but in most case the user should be registered,so we should expost the "asp.net adminstrator tool(the create user page)" to the no-register user to create? — hguser, Apr 19 '11 at 11:21
for example I create my users with `username`, `name`, `service_url`, `service_user` and `service_pwd`. It's all about the way you implement it, the video shows the `default` behavior. The roles are there is you use ASP.NET Schema, you can always create your own page to change that information, no need to use ASP.NET roles page (that's for you, so you can easily create them quickly to test stuff) --> see my answer here: http://stackoverflow.com/questions/5701673/custom-membershipprovider-in-net-4-0/5702000#5702000 — balexandre, Apr 19 '11 at 11:51
Thanks! it is very useful,so if I want to use the membership with oracle8i,I should make the followinfg steps:1)create the tables according the sqlserverprovider 2)extends the MesmbershipProvier and RolesProvider? I will try to find if there is some exist codes :) thank you. — hguser, Apr 19 '11 at 12:10

score 3 · Accepted Answer · answered Apr 19 '11 at 10:14

3

If you are using a Membership provider:

A user is considered online if the current date and time minus the UserIsOnlineTimeWindow property value is earlier than the LastActivityDate for the user.

from MSDN Article

so you can simple use the check

Membership.IsOnline();

before you login the user.

answered Apr 19 '11 at 10:14

balexandre

73,608
45
233
342

This is very inexact as can be implied in the MSDN Article, after the time of the UserIsOnlineTimeWindow has passed even if the user is still online he will be detected as not online. Also if the user closed the browser without signing out, within the time of the UserIsOnlineTimeWindow he will still be detected as online even tho he is not. – Dov Miller Sep 12 '17 at 11:49
Even After logout IsOnLine will still be True if the time of the UserIsOnlineTimeWindow hasn't passed as descussed in https://stackoverflow.com/questions/10467880/membershipuser-isonline-is-true-even-after-logout and https://stackoverflow.com/questions/9918033/user-isonline-true-even-after-formsauthentication-signout. See solutions to that problem there. – Dov Miller Sep 12 '17 at 12:22

score 0 · Answer 2 · edited May 23 '17 at 12:22

In asp.net site how to prevent multiple logins of same user id?
Another approach (Disclaimer: I have not tested this.):

In the web.config add userIsOnlineTimeWindow to 1 and in the loggingIn event handler:

protected void Login1_LoggingIn(object sender, LoginCancelEventArgs e)
{
  MembershipUser u = Membership.GetUser(Login1.UserName);
  Response.Write(u.IsOnline);
  if (u.IsOnline)
  {
    Login1.FailureText = "A user with this username is already logged in.";
    e.Cancel = true;
  }

how to prevent the user repeat-login

2 Answers2