Thursday, March 3, 2011

Ensuring only one user login using ASP.Net Membership Provider

How would you ensure that only one user is logged in per account at a time?

Assuming cookies are persistent.

From stackoverflow
  • Typically the best way is to implement a customization on the provider that checks for last login, as well as adding methods to your code to keep track of user action.

    The key is that you must know at what point did the user last do something OR logout. From there you can determine if the account is actually ready. If you setup the tracking for these elements in code, You can then modify the membership provider to check to ensure that the account can login.

  • Conceptually you have to decide how you want to respond. If you have User A logged in and then User B attempts to login (using the same credentials) do you:

    1. Kick User A out

    or

    1. Not allow a login from User B

    (2) is problematic because you need to reliably know that User A has logged out to determine whether to login User B. User A could be just looking at a page on your site for a while, so doing via time might not be the best. Maybe some sort of AJAX watchdog that pings your website every 30 seconds.

    (1) also requires some work. When a user logs in, you would want to store their cookie value (probably in the database) and add it to a list issued cookies for this user. That way only the last cookie issued (last login) would be accepted. If you see one of the earlier cookies, then you would log that person out.

0 comments:

Post a Comment