How to prevent multiple login in SAAS application?

Question

What I need to do

I'm developing an application using ASP.NET CORE and I actually encountered a problem using the Identity implementation.

In the official doc infact there is no reference about the multiple session, and this is bad because I developed a SaaS application; in particular a user subscribe a paid plan to access to a specific set of features and him can give his credentials to other users so they can access for free, this is a really bad scenario and I'll lose a lot of money and time.

What I though

After searching a lot on the web I found many solutions for the older version of ASP.NET CORE, so I'm not able to test, but I understood that the usually the solution for this problem is related to store the user time stamp (which is a GUID generated on the login) inside the database, so each time the user access to a restricted page and there are more session (with different user timestamp) the old session will closed.

I don't like this solution because an user can easily copy the cookie of the browser and share it will other users.

I though to store the information of the logged in user session inside the database, but this will require a lot of connection too.. So my inexperience with ASP.NET CORE and the lack of resource on the web have sent me in confusion.

Someone could share a generic idea to implement a secure solution for prevent multiple user login?

Answer 1

You can use UpdateSecurityStamp to invalidate any existing authentication cookies. For example:

public async Task<IActionResult> Login(LoginViewModel model)
{
    var user = await _userManager.FindByEmailAsync(model.Email);
    if (user == null)
    {
        ModelState.AddModelError(string.Empty, "Invalid username/password.");
        return View();
    }

    if (await _userManager.ValidatePasswordAsync(user, model.Password))
    {
        await _userManager.UpdateSecurityStampAsync(user);
        var result = await _signInManager.SignInAsync(user, isPersistent: false);
        // handle `SignInResult` cases
    }
}

By updating the security stamp will cause all existing auth cookies to be invalid, basically logging out all other devices where the user is logged in. Then, you sign in the user on this current device.

Answer 2

Best way is to do something similar to what Google, Facebook and others do -- detect if user is logging in from a different device. For your case, I believe you would want to have a slight different behavior -- instead of asking access, you'll probably deny it. It's almost like you're creating a license "per device", or a "single tenant" license.

This Stack Overflow thread talks about this solution.

The most reliable way to detect a device change is to create a fingerprint of the browser/device the browser is running on. This is a complex topic to get 100% right, and there are commercial offerings that are pretty darn good but not flawless.

Note: if you want to start simple, you could start with a Secure cookie, which is less likely to be exposed to cookie theft via eavesdropping. You could store a hashed fingerprint, for instance.