Menu
A few years ago I developed a web app for which we wanted to make sure the users weren't sharing credentials.
One of the things we decided to to, was only allow the user to be logged in from one computer at a time. The way I did this, was to have a little iframe ping the server every N seconds; as long as the server had a heartbeat for a particular user (from a particular IP), that user was not allowed to log in from any other IP.
The solution, although approved by my manger, always seemed hacky to me. Also, it seems like it would be easy to circumvent.
Is there a good way to make sure a web app user only logs in once? To be honest, I never understood why management even wanted this feature. Does it make sense to enforce this on distributed apps?
875
It considers that longer idle time outs (15-30 minutes) are acceptable for low-risk applications. On the other hand, NIST recommends that application builders make their users re-authenticate every 12 hours and terminate sessions after 30 minutes of inactivity.
When you visit most websites, it's common to see a box labeled Keep me logged in, Remember me, or similar next to the username and password fields. If you check this box before you sign in, you won't have to sign back into the website next time you return, even if you close your browser and come back later.
Basically, we have to store both the Username and the Password in the user's browser as cookies. Then every time the page loads the session variable will be set. Hence the user can log in without having to enter the Username and Password again until the life of that cookie expires.
I've implemented this by maintaining a hashtable of currently logged in users, the key was the username, the value was their last activity time.
When logging in, you just check this hashtable for the key, and if it exists, reject the login.
When the user does anything, you update the hashtable with the time (This is easy if you make it part of the core page framework).
If the time in the hashtable is greater than 20 minutes of inactivity, you remove them. You can do this every time the hashtable is checked, so even if you only had one user, and the tried to login several hours later, during that initial check, it would remove them from the hashtable for being idle.
Some examples in C# (Untested):
public Dictionary<String,DateTime> UserDictionary
{
get
{
if (HttpContext.Current.Cache["UserDictionary"] != null)
{
return HttpContext.Current.Cache["UserDictionary"] as Dictionary<String,DateTime>;
}
return new Dictionary<String,DateTime>();
}
set
{
HttpContext.Current.Cache["UserDictionary"] = value;
}
}
public bool IsUserAlreadyLoggedIn(string userName)
{
removeIdleUsers();
return UserDictionary.ContainsKey(userName);
}
public void UpdateUser(string userName)
{
UserDictionary[userName] = DateTime.Now;
removeIdleUsers();
}
private void removeIdleUsers()
{
for (int i = 0; i < UserDictionary.Length; i++)
{
if (user[i].Value < DateTime.Now.AddMinutes(-20))
user.RemoveAt(i);
}
}
I would turn the problem around, and allow the last login at the expense of any earlier login, so whenever a user logs on, terminate any other login sessions he may have.
This is much eaiser it implement, and you end up knowing where you are.
22
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
