4

I am facing a serious problem in my project (a web application built in ASP.NET 2.0) explained below.

Let say I have given userid “singh_nirajan” and A user say “User1” logged into the system using this userid. Now my requirement is whenever other user let say User “User2” try to log in to the system using same (singh_nirajan) userid, it will show a message that “singh_nirajan already logged in”.

In order to implement the same, I just update a flag in database. Similarly, we update the flag in database whenever user logout properly. And we have also handled few scenarios when user will not properly log out as follows.

  1. Browser close by clicking (X) close
  2. Session Timeout
  3. On Error

But somehow user gets logged out abruptly because of network failure, power failure or any such reason. I am not able to update the flag in database that is why user is not able to log in using same userid until and unless we update that flag manually.

Reason for above implementation:

Sometime a user open multiple browser and started heavy processing task in different browser, many of times they share their user id and password which sometime invite concurrency problem. In order to restrict this, we need to implement the single instance login.

Can any one suggest me any other approach to implement the above.

Thanks in advance.

Nirajan Singh
  • 2,865
  • 3
  • 25
  • 24
  • 1
    Should the same user be allowed to login twice from the same machine (say if their browser dies, their machine reboots etc)? Should the same user be allowed to login from two different windows on the same machine? Is this app on an intranet? Do multiple platforms (e.g. Mac, Linux etc) need to be supported? – Thomas Mar 04 '10 at 06:58
  • Yes, the user should able to login if browser dies. Main concern is only one user should be able to login at a time using a particular userid either from same machine or any other. This application is on intranet and it does not support multiple platforms. – Nirajan Singh Mar 04 '10 at 07:05
  • The problem here stems from the fact that you let two persons share the same userid. Could you explain a bit more why you are not following the "one userid pr person" practice? – Peter Lillevold Mar 04 '10 at 07:46

3 Answers3

2

Browsers are inherently disconnected systems (to all intents and purposes). You cannot rely on getting any notification (from the client) for the end of a user's browser session.

Personally (as a user) I would find this single-login behaviour annoying as I regularly the the same website on different computers (laptop vs desktop vs home vs work vs vm host vs vm guest) or simply multiple browsers on the same machine (in particular browser-compatibility testing), but I accept that it may be a requirement.

IMO, if you have a "single session" requirement the better approach to this is "last wins" - i.e. if you login the second session you doom the first (essentially breaking their token) - so the first session becomes logged off. That is easy to do (in the database, just change a guid or increment a counter (against the specific user) at login). If needed you could log the IP (or whatever) of the second session against the one you are dooming, but if the second session can authenticate itself as "singh_nirajan" then that should be enough in most common scenarios.

Marc Gravell
  • 1,026,079
  • 266
  • 2,566
  • 2,900
  • @Marc I cannot force first session to logged off, may be he/she will be doing any important activity, we cannot kick him/her out in the middle. – Nirajan Singh Mar 04 '10 at 07:11
  • @Nirajan - it sounds like you want something you can't have for the reason stated i.e. that you have no way of *guaranteeing* a logout event. This is why last wins is the best approach. Your problem here is not systems based its people based - there's no reason to be logged in twice, especially not if they are actively working on something, so really you need to accept the constraints of the platform you're developing for and revisit the requirement. – Murph Mar 04 '10 at 07:43
  • @Nirajan: wouldn't "he/she" be the same person doing that important activity? if so, why would he/she want to log in while at the same time doing some other activity? unless there are some rare occasions that two people have the same username, which the system should be able to prevent anyway.. – Peter Lillevold Mar 04 '10 at 07:44
  • now i have updated my questing with reason for implementation – Nirajan Singh Mar 04 '10 at 08:54
0

When saving the logged in flag, set a lastlogindatetime field.

In the login method, have logic that looks at both the bit and the date time stamp to decide if this is an old session that never got closed correctly.

SetiSeeker
  • 6,482
  • 9
  • 42
  • 64
0

The trick here is determining that the communication is coming from the same machine. In windows app, you'd pass the workstation name to your db. Two login requests from the same workstation would be allowed; two from different workstations would be denied. However, on the web there is no simple means to do this. You might try using the IP if your company does not use DHCP or everyone has an IP reservation. If doing the app in WinForms isn't an option, then you might try using a small click-once app to pass the workstation name to the db. Back in the old days, people would solve this issue on an Intranet app by mandating IE and using an ActiveX control. Mercifully, we've moved beyond that but it did solve this type of problem.

Thomas
  • 63,911
  • 12
  • 95
  • 141