Single Instance Login Implementation

I am facing a serious problem in my project (a web application built in ASP.NET 2.0) explained below.

Let say I have given userid “singh_nirajan” and A user say “User1” logged into the system using this userid. Now my requirement is whenever other user let say User “User2” try to log in to the system using same (singh_nirajan) userid, it will show a message that “singh_nirajan already logged in”.

In order to implement the same, I just update a flag in database. Similarly, we update the flag in database whenever user logout properly. And we have also handled few scenarios when user will not properly log out as follows.

1. Browser close by clicking (X) close
2. Session Timeout
3. On Error

But somehow user gets logged out abruptly because of network failure, power failure or any such reason. I am not able to update the flag in database that is why user is not able to log in using same userid until and unless we update that flag manually.

Reason for above implementation:

Sometime a user open multiple browser 开发者_Go百科and started heavy processing task in different browser, many of times they share their user id and password which sometime invite concurrency problem. In order to restrict this, we need to implement the single instance login.

Can any one suggest me any other approach to implement the above.

Thanks in advance.

---

Browsers are inherently disconnected systems (to all intents and purposes). You cannot rely on getting any notification (from the client) for the end of a user's browser session.

Personally (as a user) I would find this single-login behaviour annoying as I regularly the the same website on different computers (laptop vs desktop vs home vs work vs vm host vs vm guest) or simply multiple browsers on the same machine (in particular browser-compatibility testing), but I accept that it may be a requirement.

IMO, if you have a "single session" requirement the better approach to this is "last wins" - i.e. if you login the second session you doom the first (essentially breaking their token) - so the first session becomes logged off. That is easy to do (in the database, just change a guid or increment a counter (against the specific user) at login). If needed you could log the IP (or whatever) of the second session against the one you are dooming, but if the second session can authenticate itself as "singh_nirajan" then that should be enough in most common scenarios.

---

When saving the logged in flag, set a lastlogindatetime field.

In the login method, have logic that looks at both the bit and the date time stamp to decide if this is an old session that never got closed correctly.

---

The trick here is determining that the communication is coming from the same machine. In windows app, you'd pass the workstation name to your db. Two login requests from the same workstation would be allowed; two from different workstations would be denied. However, on the web there is no simple means to do this. You might try using the IP if your company does not use DHCP or everyone has an IP reservation. If doing the app in WinForms isn't an option, then you might try using a small click-once app to pass the workstation name to the db. Back in the old days, people would solve this issue on an Intranet app by mandating IE and using an ActiveX control. Mercifully, we've moved beyond that but it did solve this type of problem.