2

I have developed an ASP.NET website using C#. There is also a simple authentication module. Users can simply submit a form and be a member.

The problem area:

Say this scenario; If I log in as the admin with of course some unique user name and password, there should not be any other user able to log in with the same authentication information. I explicitly mean only one log in per user account.

Of course, I have surfed the web and found something good Right Here. (I tried the answer with 8 score of course). Actually, it works fine. But, the Session.Abandon(); does not clear the Session["UsersLoggedIn"].

The Problem: When the user logs out the session is clear and it is fine. But when it again logs in less than session expiration duration, he fails! The reason is that, the Application["UsersLoggedIn"] still has some value and therefore the if statement in the Login method assumes that the user is already logged in. How can I come over this matter?

Any idea please?

Thank you

Community
  • 1
  • 1
Ali
  • 847
  • 2
  • 13
  • 37
  • possible duplicate: http://stackoverflow.com/questions/2922502/limit-only-one-session-per-user-in-asp-net – Steven V Jun 24 '13 at 13:55
  • The code you're referencing has `Session["UserLoggedIn"]` and `Application["UsersLoggedIn"]`. Which one are you referring to, as you wrote `Session["UsersLoggedIn"]` which should not exist. – Alexander Jun 24 '13 at 15:30
  • `Session["UsersLoggedIn"]` lives in the Login Method. Actually, in the logout method the session would be clear and it is ok. But the `Application["UsersLoggedIn"]` still has some value. Thus, in the Login method when the object is checked, it is not null and it concludes that the user already is logged in! And if I make the Application object null in the log out, then one user can log in more than once, while another user with the same info is already logged in. – Ali Jun 24 '13 at 15:49
  • @Alexander: That was a typing mistake actually I mean the 'Session["UserLoggedIn"]' – Ali Jun 24 '13 at 15:59

2 Answers2

2

This may help in constructing a solution. The following link shows how to do what you said (in ASP.NET MVC), except the difference between this solution and what you need is this solution is as follows: User Bob logs in from his PC. Another user, using the same User ID of "Bob" logs in from another device (different Session ID). The FIRST session is killed while allowing the second session to live. From what you said, I believe you need the opposite behavior- disallowing a second instance of the same User ID from logging in when the user ID is already logged in, right? I believe you should be able to take this example and modify it to what you need it to do.

This is a custom implementation of the built in membership (which I know you said you didn't want to use the built-in membership, but I think you can get some useful information out of the below post).

When the same user ID is trying to log in on multiple devices, how do I kill the session on the other device?

Community
  • 1
  • 1
Mike Marks
  • 10,017
  • 17
  • 69
  • 128
0

Please try to debug the events. Maybe the method where the Session is cleared is called before "Session_End", making it impossible to remove the UserLoggedIn from the collection stored in the Application. (I'd recommend taking the name from a Membership provider instead of dragging it along in the Session.)

Alexander
  • 2,457
  • 1
  • 14
  • 17