I am aware of the mechanism for preventing multiple user logins: In asp.net site how to prevent multiple logins of same user id?. My scenario is different.
On my website, a single page checks if the user is logged in (default .NET membership provider). Once the user is authenticated, the page redirects them to a premium service on a third-party server. This means I can't use the above mechanism to check on each page the current session ID against a previously stored session ID.
On login, I need to end all previous sessions for the current user. All methods that I came across (e.g. FormsAuthentication.SignOut) only target current user. Is it possible to log out user by membership user name, so no two visitors to the site use the same user name?
You could create a table/custom membership field/static dictionary/etc that tracks a user's current session ID. When the user logs in, set that value to the current ID. Then, in your global.asax handle Application_AuthenticateRequest and check if the current session matches what you have stored. If not, perform the SignOut/redirect.
Related
In MVC5 asp.net - Is there a way to allow user login only if the user has a particular claim in the user database? I'd like to assign a "CanLogin" claim to users in my user database that are allowed to log in at any given time. By removing the "CanLogin" claim, I could effectively lock the users out of the system until further notice.
This would have to work for a first time login as well as cookie login at a later stage if the user has checked "remember my login".
Using authentication filter, you can check the identity.claims property to validate whatever claims are present in the context.
The claims must be added during the login process
Then you can check whether a particular user is enabled or not.
However, if the user database is self maintained, you can just set a disabled flag and then reject the login request, instead of returning such a claim.
The claims are used for Authorization to a particular functionality rather than Authentication to an app. A valid user will have certain claims which can tell what all the user is permitted to do.
Consider the case of forms authentication with persistent cookies.
If the same user logged in using two different browsers or two different machines, when user logs out from one of the browser/machine, wouldn't still he be able to login from the other browser/machine?
Usually, how do web applications handle this case?
I have to agree with Srinivas for the most part. Here is my take on the subject
On Login create an HTTP Only cookie with a guid generated at login this will be your browser/computer key. Closing browser will remove cookie
Get user id
Persist in the pair in user table ex: user:a, key:12345
On subsequent requests authentication algorithm after user has been authenticated
Get the last used key in the db with current user id
Check that the cookie is present, if not then completely unauthenticate
Check that the cookie value is the same as that in the database, if not then completely unauthenticate
With this method any subsequent login will cause a required reauthentication & invalidate any other authentications. In effect forcing the user to use only 1 browser/computer
I usually do it this way : I have a session column in my user table(in database) When the user logs in I store the value Y in it.I change it to N when he logs out.Every time the user tries to log in, I check the value in the corresponding session column and if it is Y I tell the user that he is already logged in and if it is N then I allow the user to log in. But we have to be careful and set the value to N when the user logs out or closes the browser.
Forms Authentication with cookies (regardless of whether they are persistent or not) is browser session based (persistent cookie would of course work across multiple sessions of same browser (on same user account on same machine). So two browser sessions (or two different browsers or browser on two machines etc) would be treated as different scope as far forms authentication is concerned.
So user can make multiple login from different browser sessions and logout in one will not affect other. Its is up to web application whether to allow multiple concurrent logins for same user or not. For example, online banking sites would restrict to only one user session - so if user logs in from different session then earlier session is invalidated (i.e. user is logged out). One has to write custom implementation in ASP.NET to do so - typical implementation would make every user session entry into database (typically required for audit purposes anyway) - so whenever new entry is added, a check is made to see if there is any active session for same user and if yes then that session is marked inactive. Every request would check if current user session is active or not, if not then it would flag such message to user.
I am using ASP.NET Forms Authentication (Roles, Users, Membership, etc).
In short, I'm looking for something that will give me a unique UserId for users -before- they are logged in or before they create an account.
I would like the user to be able to personalize the site to a certain extent -before- they go about the work if creating an account. I realize that work would be lost if they clear their cookies.
I store personalized settings in a table with their ASP.NET Auth UserId. I'm hoping that users get assigned a cookie-based UserId even before they log in and create an account, rather than every "guest" having the same "guest id".
If and when they do create an account or log in I'd have to migrate their saved settings to their "permanent" UserId, but that's ok with me.
I could re-invent something, creating a Guid and storing it in a cookie, but I'd like to avoid reinventing the wheel if there's already a mechanism in ASP.NET.
Thanks!
Dave
See Personalization and User Profiles in ASP.NET 2.0 - Handling Anonymous Users.
Note that each anonymous user gets a unique anonymous ID the first time they visit a site. This ID is stored persistently in a cookie. Thus, if a second user opens up a browser on the same computer as the first, the second user will be seen by the site as having the same anonymous ID that was issued to the first user.
The short answer is No. There is no user id assigned to anonymous users that you can store in the Profile table. You will have to create an "AnonymousSettings" table that you store customization information on a per user basis. You would generate your own cookie with a unique ID (a GUID would be a good choice) and the use that to lookup the anonymous user.
Once the user registers, you can transfer their settings from the anonymous table to the profile settings.
Asp.net Automatically generate SessionID per user.
You can use SessionID of active user.
Session.SessionID returns unique key for user. SessionID stored in Cookies.
Asp.Net doesn't remove Session Cookie. After User logged in. So
You can match SessionID and UserId.
How can I prevent a single user from logging in to my asp.net website from more than one computer at the same time?
I have tried using the application server side state managenment but it is not work properly.
1) If you are Using Coookies to Track Users,
When a user logs in you write a unique guid to the database and store it in their authentication cookie, then every page request you check to see if they (GUIDs) are identical, and if not you log them off.
2) if not using cookies, Store the UserName, GUID in Application Cache, and user Session variable. Compare User Session to Aplpication Cache to see if he is already logged in.
I'm building a web application: some pages will be accessible by non logged-in users (demo and sign-up pages) and others will only be accessible by logged-in users (actual application). In the global.asax file, I'm currently handling the session start event by loading some variable from a query that's based on the UserID. What will happen when a non-logged in user looks at a page? I guess my question is really about how to handle the session start event when it's a logged-in user, when it's not and when a user logs in. I want a certain number of queries to run only once per session, after the user logged in.
Thanks.
I would suggest to implement Forms-Based Authentication, instead of to handle authentication via session. An example can be obtained from here:
http://support.microsoft.com/kb/301240
Don't confuse "login session" with "session state". Session state has nothing to do with whether the user is logged in.
If you want some queries run when the user logs in, you should run them when the user logs in, not in Session_Start.