1

I am using ASP.NET MVC with Microsoft Identity framework. The application needs to support either forms or windows based authentication. This is a deployment time configuration.

One of the asks from security testing results is to stop users from simultaneous logins. If the web application is forms authenticated, then I can fall back on CookieAuthenticationProvider and ensure that cookie is invalidated if there are simultaneous logins (Prevent multiple logins).

I am not sure how to achieve similar kind of thing when web application is configured for windows authentication. Any suggestions will be helpful.

Community
  • 1
  • 1
Sharath Chandra
  • 654
  • 8
  • 26
  • Problem with multiple logins through AD is that user can login to your site, then login to a PC in the domain. Is that "multiple login"? I think this issue with preventing multiple logins through AD should be raised with your project stakeholders. And (I suspect) after enough discussion this requirement will be dropped (for AD auth) – trailmax Dec 23 '15 at 15:24
  • @trailmax I agree that this will requirement is not justified in most cases. However since this is banking application, the issue raised is user will login from office through intranet. Usually does not turn off the machine. Then the user goes home, and logs in to the site (Note site is exposed via both intranet and internet). In this case the user's machine need not be a part of domain. – Sharath Chandra Dec 24 '15 at 07:41

0 Answers0