1
I need to make the user not log in to the system (asp-net
mvc
) on different machines.
The system is on the intranet and currently there is an Access table with date and time of access of the user and another column Logged in (S/N).
How can I do this control ?
I believe that generate a token like the Antonio Campos said it would be the best way, because I did some google search like generate token with Asp net mvc but I was a little confused because the explanations I found are always associated to generate token to authenticate to a Web API and the system in which work does not access a Web API: access database.
Can’t you for example delete the date/time that it accessed when logging in? so if you try to log in and already have a value in this field you will know that it is already logged in
– Ricardo Pontual
@Ricardo Punctual forgot to mention that the user can close the browser without clicking the logof button so I have no way to delete the date as you said.
– hard123
but this can happen to any site, it’s not something if you have control, nor with events. you can treat this with an activity control, if the user stays too long without interacting with the backend can kill his session, is what banks do
– Ricardo Pontual
I worked in a bank where there were web applications on the intranet where the user could only log into the system on one machine at a time and not simultaneously, but I don’t know what the procedure was.
– hard123
@adianojc, it also depends on how you want to do this control... when you are already logged in you must block a new login on another machine? (easier) Or will you drop the old session? (Harder to control)
– Leandro Angelo
@Leandro Angelo that ! Block a new login on another machine
– hard123
Add your login code
– Leandro Angelo
Adding a token that you generate on login that you validate on each request, if in the validation the token is different from the database means that you have logged in elsewhere and invalid or log out in the session that has the invalid token.
– António Campos
You can check by ip, or else make a token Session, as stated above.
– Paulo Victor
@Antonio Campos I edited the post to be clearer my doubt and as you can see I found interesting the generation of the token but as said the explanations I find is directed to Web API and the system that work does not access Webapi but directly an Oracle Database.
– hard123
@hard123 When I suggested using a Token I was suggesting the following: 1 - Creating a Token field in the table where you authenticate the user 2- When you authenticate the user you change that Token to a new Guid() 3- Guard that Guid in a cookie (for example) 4- When you validate each request you check if the Token that came from the Cookie is the same as the table, if the order is accepted, if it is not because the user has logged in to another place so he is not currently logged in and requests to log in (or the procedure you have for logout).
– António Campos