Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Need to restrict the user to a single browser session

I have built an ASP.Net MVC site using Forms Authentication for a client.
Recently, they have requested that an authenticated user be restricted to a single browser session. That is, if the user raises a new browser instance, or opens a new tab on the original browser window, that he/she be logged out of the original. They insist on the added security. Does anyone know how I might approach this? Thanks in advance.

like image 222
phil1630 Avatar asked Sep 19 '13 01:09

phil1630


3 Answers

Personally, I would push back and ask exactly what security this is bringing. Maintaining state like this counter to web architecture and is only going to bring you and your users grief.

like image 52
Darrel Miller Avatar answered Nov 08 '22 14:11

Darrel Miller


Here is what I would do if presented with this problem:

  1. Store the username of the user in your database (i.e. LoggedOn table).
  2. When a user logs on, check to see if their username is already present in the LoggedOn table.
  3. If the user isn't already logged on, insert a row into the table with the username and the current time; otherwise present the user with a message informing them that they can only log into the system from one device at a time.
  4. Include logic to expire and delete the rows in the table if a user's session expires or if the user logs out.
like image 24
Karl Anderson Avatar answered Nov 08 '22 13:11

Karl Anderson


First a disclaimer: I'm no expert in web programming.

Perhaps you might try a system where every user interaction requires the submission of a random value that's been generated for that page (much like what's used for CSRF protection.) That key could be kept under the user's session information on the server, and if a page is ever requested without the correct key as a URL parameter, the session is invalidated. The URL from one browser won't work in another, either, since once a URL is gone to, the user's session key has changed. The only way for a user to transfer a session between tabs would be to copy the URL of an unclicked link and paste it in a new tab's address bar. Switching browsers would be even more complex assuming that ASP.Net uses a session cookie: the user would have to transfer the cookie from one browser to another. Going back would also fail, as all the links on the previous page, and the URL for the page, would carry an incorrect session key.

Also, for reference, I believe the US Gov't TreasuryDirect site works in the way you've described, though I've never looked at how they manage it.

like image 2
andyg0808 Avatar answered Nov 08 '22 14:11

andyg0808