How to prevent users to login to my site more than one sessions?

Question

I am developing an ASP.net site (using .NET 4, EF, jQuery Ajax, SQL Server 2008 R2). In this site I want to prevent multi-login. I mean if you log in to site, you can not log in to site again from other browser or computer since you are logged in already.

I plant an idea and developed it on my site, but it have a problem and it is because that problem that I decide to ask a question here

I have a SQL Server table like this :

Id        [int]            NOT NULL   IDENTITY(1,1)   //PK
UserId    [int]            NOT NULL                   //Relation to User table
Key       [nvarchar](50)   NOT NULL                   //Unique

When a user logs into the site, I insert a row into this table like this :

UserId = The Id of logged in user 
Key = Session.SessionId

and also there is a code for delete a record from this table that execute when:

1. User try to log out from its account
2. on Session_End event in global.asax

Everything works correct and perfect, just :

Problem: when the user closes the browser, that row does not get deleted (I thought when he close the browser, its row in that table will delete on Session_End event , but it did not!!!)

What can I do? Any solution for this problem? Should I change my strategy or there is a solution?

Sorry about my bad syntax. I am new in english

Any idea can be useful

regards

Foroughi

UPDATE1 : i do not use ASP membership and manage my users myself

UPDATE2 : i use InProc mode for my session state with 20 minutes timeout

Answer 1

The Session_End event doesn't fire when the browser is closed, it fires when the server hasn't gotten a request from the user in a specific time persion (by default 20 minutes). That means that if you use Session_End to remove users they wont be able to login for 20 minutes after they have closed the browser.

Two alternative strategies come to mind

1. You can use the onunload event in the browser to send a logout request to the server when the user leaves the page (This of course only works if the user still has net connectivity). The onunload event is also triggered when you reload the page, so you would have to keep track of why the event is triggered to use it.

2. You keep the time of the last request in the user object. That way you can determine how active the user is, and how likely it is that they have left the site. For example find any user that has not done anything for two minutes and log them out.

EDIT: As a final point raised in the comments. Instead of viewing your requirement as 'you can only have one login so if your logged in already then don't allow login' could you change to 'you can only have one login if you have a session open it will be cancelled and a new one created.'

This way you still keep your one login session per account rule whilst providing a much more robust method of enforcing it.