Avoid simultaneous user access

Asked

Viewed 418 times

1

I need to make the user not log in to the system (asp-net mvc) on different machines.
The system is on the intranet and currently there is an Access table with date and time of access of the user and another column Logged in (S/N). How can I do this control ?

I believe that generate a token like the Antonio Campos said it would be the best way, because I did some google search like generate token with Asp net mvc but I was a little confused because the explanations I found are always associated to generate token to authenticate to a Web API and the system in which work does not access a Web API: access database.

c# asp.net-mvc oracle token ajax-token

  • Can’t you for example delete the date/time that it accessed when logging in? so if you try to log in and already have a value in this field you will know that it is already logged in

  • @Ricardo Punctual forgot to mention that the user can close the browser without clicking the logof button so I have no way to delete the date as you said.

  • but this can happen to any site, it’s not something if you have control, nor with events. you can treat this with an activity control, if the user stays too long without interacting with the backend can kill his session, is what banks do

  • I worked in a bank where there were web applications on the intranet where the user could only log into the system on one machine at a time and not simultaneously, but I don’t know what the procedure was.

  • @adianojc, it also depends on how you want to do this control... when you are already logged in you must block a new login on another machine? (easier) Or will you drop the old session? (Harder to control)

  • @Leandro Angelo that ! Block a new login on another machine

  • Add your login code

  • 3

    Adding a token that you generate on login that you validate on each request, if in the validation the token is different from the database means that you have logged in elsewhere and invalid or log out in the session that has the invalid token.

  • 1

    You can check by ip, or else make a token Session, as stated above.

  • @Antonio Campos I edited the post to be clearer my doubt and as you can see I found interesting the generation of the token but as said the explanations I find is directed to Web API and the system that work does not access Webapi but directly an Oracle Database.

  • @hard123 When I suggested using a Token I was suggesting the following: 1 - Creating a Token field in the table where you authenticate the user 2- When you authenticate the user you change that Token to a new Guid() 3- Guard that Guid in a cookie (for example) 4- When you validate each request you check if the Token that came from the Cookie is the same as the table, if the order is accepted, if it is not because the user has logged in to another place so he is not currently logged in and requests to log in (or the procedure you have for logout).

Show 6 more comments

1 answer

2


Knowing if the user is logged in and inhibiting a second login depends a lot on how the user behaves in your application.

If your system uses session, with the user’s session identifier you can inhibit the start of a second session, but remember that if you do not have an ongoing process to validate that session, the user may already have left the page and the session will be considered until the expiration.

You can adopt a short session with renewal process (remember that the cost of this operation should be analyzed).

If your problem is to keep only one session open, you can work to keep access only for last session, via session identifier, record the new one and remove access from the previous one.

If it is via token, you can revoke the validity of the first token and keep the second.

Depending on the focus of your product, you can also use sockets to really understand when the user is actually active and still have direct real-time communication. Remembering that the cost should be analyzed.

Browser other questions tagged c# asp.net-mvc oracle token ajax-token

You are not signed in. Login or sign up in order to post.