All geek questions in one place

Single sign-in implementation

I had a serious problem in my project (a web application built in ASP.NET 2.0), which is described below.

Say I gave userid "singh_nirajan" and the user said "User1" by logging in using this user ID. Now my requirement is that every time another user allows me to say that the user "User2" is trying to log in using the same (singh_nirajan) userid, he will show a message that "singh_nirajan is already logged in."

To implement the same thing, I just update the flag in the database. Similarly, we update the flag in the database every time a user logs off the system properly. And we also looked at several scenarios when the user will not log out correctly as follows.

  • Close browser by pressing (X) close
  • Session Timeout
  • On error

But for some reason, the user suddenly crashes due to a network failure, power failure, or any such reason. I cannot update the flag in the database, so the user cannot log in using the same user ID until we manually update this flag.

Reason for implementation above:

Once a user opened several browsers and launched a heavy processing task in different browsers, in many cases they share their user ID and password, which someday invite a concurrency problem. To limit this, we need to implement a single login instance.

Can anyone suggest me any other approach to implementing the above.

Thanks in advance.

+4
source share
3 answers

Browsers are inherently disabled systems (in every sense and purpose). You cannot count on receiving a notification (from the client) at the end of a user's browser session.

Personally (as a user), I would find this single-entry behavior annoying, since I regularly on the same site on different computers (laptop and desktop computer, vs home vs work vs vm host vs vm guest) or just multiple browsers on the same thing (in particular, testing compatibility with the browser), but I agree that this may be necessary.

IMO, if you have a “one-session” requirement, the best approach to this is the “last win” - that is, if you enter the second session, you doom the first (in fact, breaking their token) - so the first session will be pulled out system, It’s easy to do (in the database, just change the pointer or increase the counter (against a specific user) when entering the system). If necessary, you can register the IP (or something else) of the second session against what you doom, but if the second session can authenticate as "singh_nirajan", then this should be enough in most common scenarios.

+2
source

When saving the registered flag, set the lastlogindatetime field.

In the login method, you have logic that looks at both the bit and the timestamp of the date to decide if this is an old session that never closed correctly.

0
source

The trick here is to determine that the connection is from the same machine. In a windows application you have to pass the name of the workstation to your db. Two login requests from one workstation are allowed; two of the different workstations will be stripped. However, there are no easy tools on the Internet for this. You can try using an IP address if your company does not use DHCP, or everyone has an IP address reservation. If an application in WinForms is not an option, you can try using a small one-click application to transfer the name of the workstation to db. Back in the old days, people solved this problem in the Intranet application, instructing IE and using the ActiveX control. Fortunately, we have moved beyond this, but this solved a problem of this type.

0
source

Source: https://habr.com/ru/post/1303087/

More articles:


All Articles