Prevent Multiple Login
-
The item is being removed from the Cache after the default 20 minutes? Are you removing it somewhere prior to this? If you are attempting to login during this time period then it is correct. Just personal preference I guess but I would rather use String.IsNullOrEmpty or String.IsNullOrWhiteSpace rather than this
if (sUser == null || sUser==" ")
Less typing and more clear as to what condition you are testing.
No comment
Hello, Yup I set it to default, few question why does if I tried other account it still says that the accout is already login.
-
Hello Experts, I would like to ask if what are some easier ways preventing multiple log in of account to my web application. I tried creating a flag field to my database that check the user if he or she is log in but its not good way because if he/she is not properly log out then the account will be lock and I will need to open his/her account manually. Done a couple of research but still I'm not able to. Here is that code I manage to covert that previously in vb.net not sure though if my code 100% corrent or my conversion of the is ok. The code I managed to find is here http://forums.asp.net/t/1196897.aspx[^] My code in Global.asax
/// <summary>
/// event fire when the user 1st browse the website
/// </summary>
protected void Application_PreRequestHandlerExecute(object sender, EventArgs e)
{
//Response.Write("Fire up");//if session items is not null if (HttpContext.Current.Session != null) { Response.Write("SessionID:" + Session.SessionID.ToString() + "User Key:" +(string)Session\["users"\]); //fires after initial login if (Session\["users"\] != null) { String sKey= (string)Session\["users"\]; string sUser = (String)HttpContext.Current.Cache\[sKey\]; } //remove the cache item if session is over else { foreach (DictionaryEntry dEntry in HttpContext.Current.Cache) { HttpContext.Current.Cache.Remove(dEntry.Key.ToString()); } } } }Below is my code after the user successfully log in
String sKey = Login1.UserName + Login1.Password;
string sUser = Convert.ToString(Cache[sKey]);//no cache item if (sUser == null || sUser==" ") { TimeSpan sesstimeout = new TimeSpan(0, 0, HttpContext.Current.Session.Timeout, 0, 0); HttpContext.Current.Cache.Insert(sKey, sKey, null, DateTime.MaxValue, sesstimeout, System.Web.Caching.CacheItemPriority.NotRemovable,I don't do Web stuff, so I don't know the intricacies of it, but for the few WinForms apps I've written that require login, if the user logs in a second time, I invalidate the earlier login. I expect that's how the user would want it to work.
-
The main question here is: why would you want to do that? In 99% of cases it is a pure annoyance with no functional benefit (as well as being rather difficult to do well because of the nature of HTTP and session management).
Hello, I know its hard and really annoying but still what if the my boss want it that way then I have no choice but to do it or else I will be kicked out. :D Seems I have no choice but no to add it if I can't managed to do it, I guess :(
-
Hello, I know its hard and really annoying but still what if the my boss want it that way then I have no choice but to do it or else I will be kicked out. :D Seems I have no choice but no to add it if I can't managed to do it, I guess :(
akosidandan wrote:
what if the my boss want it that way
So this functionality isn't part of the specifications? Then why do it? Many man-years have been wasted on projects providing functionality that was never requested. If you think it has added benefit to the application then present your idea to your boss. You are worried about being "kicked out" for not doing something that was not requested. I'd be more concerned about being "kicked out" for spending time on functionality not requested.
No comment
-
I don't do Web stuff, so I don't know the intricacies of it, but for the few WinForms apps I've written that require login, if the user logs in a second time, I invalidate the earlier login. I expect that's how the user would want it to work.
Hello, Good idea , but still it would be hard for me to Invalidate the earlier login because I need to force logout the earlier log in. Thanks for the idea I will still try it.
-
Hello, Yup I set it to default, few question why does if I tried other account it still says that the accout is already login.
akosidandan wrote:
if I tried other account it still says that the accout is already login
That part wasn't clear in your question. Have you debugged it? What is in your Cache? Code is stupid, it only does what it is told, unless you tell it to insert the user it won't be there, ergo, you must be adding it to the cache at some point.
No comment
-
akosidandan wrote:
what if the my boss want it that way
So this functionality isn't part of the specifications? Then why do it? Many man-years have been wasted on projects providing functionality that was never requested. If you think it has added benefit to the application then present your idea to your boss. You are worried about being "kicked out" for not doing something that was not requested. I'd be more concerned about being "kicked out" for spending time on functionality not requested.
No comment
Hello, I apologize if I may not understand you but I'm just a newbie asking for some experts advice,recommendation about stuff I'm not able to do. It's a part of my project specification that's why why if possible I want to add that functionality.Since I'm stuck in this part I came to ask in this forum was hoping to get some advice how to it or if lucky an answer.
-
akosidandan wrote:
if I tried other account it still says that the accout is already login
That part wasn't clear in your question. Have you debugged it? What is in your Cache? Code is stupid, it only does what it is told, unless you tell it to insert the user it won't be there, ergo, you must be adding it to the cache at some point.
No comment
Hello, My apology about that, the code was orginally in vb.net in the link of my main post. I just managed and tried converting it myself thats why I dont have 100% idea about to code logic.
"After the code every time I login it always says that the user is already login now" <- it was a follow up question for this.
-
This should probably have been posten in the ASP.NET forum. In any case I suppose you could add a dictionary to which you at add the the user and current session, when a user logs on. You remove it when the session times out or the user logs off. Then if an already logged in user, user logs on from another session you have 3 options as I see it: 1) Don't allow the user to logon. 2) Allow the user to logon and then logoff the same user on the other session. 3) let the user choose between 1) and 2)
Hello, My apology for miss placing question. About the idea I will try what you have given. Thanks.
-
Hello, I know its hard and really annoying but still what if the my boss want it that way then I have no choice but to do it or else I will be kicked out. :D Seems I have no choice but no to add it if I can't managed to do it, I guess :(
Well, your first approach should be to make sure your boss realises it's a dumb requirement (though I wouldn't necessarily put it in those words), and if it comes from a client, get your boss to have the same discussion with the person who put it in the specification. By far the best solution here is if you can persuade the customer that they don't actually want this 'feature' at all. Even if you're a newbie or new to the company, don't be intimidated out of at least raising the point. If you try that and you really can't get it removed, the logic goes something like this (in the login attempt script, once authorisation has been checked and you are about to log in) – pseudocode only, if that wasn't obvious:
string sid = DBQuery("select lastsessionid from user where userid=(ID)", userid);
Session session = GetSession(sid);
if(IsValidSession(session)){
// Already a non-expired session for this user
// Close the other session
session.Logout();
}
thisSession["user"] = userData; // or however you record that this is a logged in session// record this as the current session for the user
DBQuery("update user set lastsessionid=(sessID) where userid=(ID)", thisSession.ID, userid);I think it's better to kill any previous sessions rather than reject the login, otherwise it's way too easy to lock yourself out for the session expiry timeout (turn off machine at work without pressing 'Logout' link and go home/to lunch/etc) or, if there is some AJAX that keeps the session alive indefinitely, permanently. I haven't tried to do this with ASP.net so I'm not sure how easy it is to get hold of session objects for sessions other than the one you're currently in. You need to be able to do that because otherwise you won't be able to tell when a previous session has expired. session.Logout is a placeholder for clearing whatever you put into the session on login (so the next page load in that session is as a guest). Again, with ASP.net's role management that might be more tricky than it should be.