Prevent Multiple Logins

Is there a way to prevent a user from logging in from two devices simultaneously?

For example, a user opens up Safari on one computer and logs into the web app. Then, he opens up Safari on another computer or opens up another browser and logs in again.

I know I could do it by recording when they login and then when they click a Logout button, but I’m not sure how I would handle it if the user simply closes their browser and fails to click a logout button. I don’t want a bunch of users immediately locked out because they closed their browser and didn’t click a logout button.

Has anyone ever done something like this?

If you are saving their user information in the Session object you could iterate the other sessions when they attempt to login and see if there is another session with their info in it.

It’s not ideal and if they quit their browser and reopen and login right away the old session will probably still be there. I’m not sure what the official timeout for a session is but that should solve your problem.

I think that would work. I can investigate the timeout. How would you cycle through the sessions?

WebApplication.SessionAtIndex can be used to cycle through the sessions.

Oh, you know what I didn’t think of–I have a load balanced app with four instances. I bet cycling through WebApplication.SessionAtIndex would only cycle through the current instance, wouldn’t it?

Correct- you can’t assume one instance knows about all of your sessions- it won’t.

You’d need to write active sessions to a central location (like a DB table) that all instances can use. Probably in your session open/close events or similar. That way whatever reason the session closes- timeout or otherwise- they are free to make another one.

Hey Travis! Good to hear from you!

That’s what I figured. Do you know if there is default session timeout? My concern is balancing the prevention of simultaneous logins with forcing a user to wait 20 minutes to be able to log back in if he just accidentally closed his browser.

If you aren’t using the interactive Session.Timeout property, then you probably want to work with the WebApplication.SessionTimeout, which defaults to 10 minutes. But you can explore with both to figure out what’s best for you…