Prevent Multiple login in ASP.NET

Use the application cache with a sliding expiry of 5 minutes. At least this
way your user will be locked out for a maximum of 5 minutes. Additionally
I'd allow a duplicate login if it came from the same IP address.

Instead of preventing a 2nd login, just terminate the first one.

You could put a small hidden IFRAME in the page and when the window.unload
function occurs on the client, set the location to a page with undoes the
flag. Then on each page load redo it. It leaves you open to multiple logins
for a very small window but should catch when they close the browser.

I havent tried this myself as I normally talk people out of this requirement
when I tell them how much money will be spent or it.

--

Ciaran O''Donnell
http://wannabedeveloper.space.live.com
"Bhavini" wrote:

Hi All,

I have to prevent multiple logins for the same user accessing at same time.
i.e. if xyz user is active, no other login should be allowed for the same
user ID.

I thought of saving active falg in databse. but when user closes browser or
anyhow regular logoff procedure is not called then that user will always be
in active state. So next time he will not be allowed to login.

Even Session_end() event will not occur if user will close the borwser.

Please help me if anyone has come accross the same problem.

Thanks
Bhavini

"Bhavini" <Bh*****@discussions.microsoft.comwrote in message
news:A2**********************************@microsof t.com...

Even Session_end() event will not occur if user will close the borwser.

Yes it will, just not straightaway. The session will eventually time out
automatically according to the Timeout setting (20 minutes by default)
whereupon the Session_End() event will fire.

Thx for the reply.

But actually we are having webfarm scenario, so I dont think it will be
possible to use caching here. And another thing is, we cant bear the delay of
5 minutes. We should be able to login immediately once browser is closed.

Two scenarios I have in my mind
1) if we can catch browser close event and call logout process there. But I
am not sure how to catch browser close event.

2) In DB we can maintain Active/Inactive flag as well as SessionID for
partucular user. So when the same user is logging we can check that
particualr session is activ or not based on session ID. I guess session ID
should be unique.

"Peter Morris [Droopy eyes software]" wrote:

Use the application cache with a sliding expiry of 5 minutes. At least this
way your user will be locked out for a maximum of 5 minutes. Additionally
I'd allow a duplicate login if it came from the same IP address.

It is a bit pricey, but ScaleOut StateServer supports this
quite well. I love the ability to share session variables
across servers and across app domains across servers.

Very powerful.

http://www.eggheadcafe.com/articles/scaleout_server.asp

--
Robbe Morris - 2004-2006 Microsoft MVP C#
I've mapped the database to .NET class properties and methods to
implement an multi-layered object oriented environment for your
data access layer. Thus, you should rarely ever have to type the words
SqlCommand, SqlDataAdapter, or SqlConnection again.
http://www.eggheadcafe.com/articles/..._generator.asp

"Bhavini" <Bh*****@discussions.microsoft.comwrote in message
news:1E**********************************@microsof t.com...

Thx for the reply.

But actually we are having webfarm scenario, so I dont think it will be
possible to use caching here. And another thing is, we cant bear the delay
of
5 minutes. We should be able to login immediately once browser is closed.

Two scenarios I have in my mind
1) if we can catch browser close event and call logout process there. But
I
am not sure how to catch browser close event.

2) In DB we can maintain Active/Inactive flag as well as SessionID for
partucular user. So when the same user is logging we can check that
particualr session is activ or not based on session ID. I guess session ID
should be unique.

"Peter Morris [Droopy eyes software]" wrote:

>Use the application cache with a sliding expiry of 5 minutes. At least
this
way your user will be locked out for a maximum of 5 minutes.
Additionally
I'd allow a duplicate login if it came from the same IP address.