Allow only one concurrent login per user in ASP.NET

Question

Is it possible to allow only one concurrent login per user in ASP.NET web application?

I am working on a web application in which I want to make sure that the website allows only one login per user at a time. How to check that the current user already logged in or not?

Please suggest proper login method by which we can handle this problem. I think we should use SQL Server session state to handle this problem. What do you suggest?

I thought of one solution for it. We can do something like:

1. When the user logs into the system then we insert session id in user column. (We will use database session so that we can get all session related data like isexpired, expiredatetime etc easily).

2. When the same user tries to login a second time then we will check for that session id column and check that session is already expired or not. If session is not expired then we will not allow user to login.

3. Update user session ID every time when user logs out.

Please suggest whether this is the proper way or not.

Answer 1

You can create a cache entry per user and store their session ID in it. Session ID will be unique per browser session. In your login page, you can create that cache entry when they successfully login:

if(Cache.ContainsKey["Login_" + username])
    // Handle "Another session exists" case here
else
    Cache.Add("Login_" + username, this.Session.SessionID);

(Code typed in textbox without syntax check. Assume "pseudo-code".)

In global.asax you can then hook into the Session_End and expire that cache entry of the user. See this for the global.asax events.

if(Cache.ContainsKey["Login_" + username])
    Cache.Remove("Login_" + username);