Prevent username to be have two conc. session

Hello Folks.

I have read a number of articles but I would like to the experts at this place to give me  a second opinion.

I have two requirements on my web application(build

1. User should be billed based on the total time he or she has been logged in (could this be solved with Session_End?,
which doesnt work with StateServer and SQL Server Sessions:-( )

2. Prevent multiple users of an ASP.NET application from using the same credentials to log in at the same time from different machines.

How could the two requirements be meet, to use session_start and session_end would maybe a easy way to meassure how long time the user is logged in but how to pevent the second requirement I have no idea about.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You can keep a list with the credentials of already logged in users and when somebody tries to login with particular credentials just to check if they are on the list.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
On client login, remember its IP address, session_id and the current_time.

On the subsequent client access, to the pages of your website, check its IP
and the session_id for granting him/her the access to those pages.

On client logout, subtract the current time with the time stored in client login.
Also remember to set the session timeout to some reasonable value
if the client disconnects without logging out from your site.

It would be the best approach to always keep the information of the
time when the client last accessed any of your pages, in the case of
session timeout, you would just use the last access time.

Of course, you don't need to do it like this if your clients don't care
about logging out, as long as they will pay for that extra time before
the session timeout triggers ;)
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

holtisAuthor Commented:
Thanks so far for all your answers. Couldnt it be a bit tricky to use IP check as part the solution?  At my office we access intern thru a proxy server and I have noticed that all employees uses the same address when accessing the websites.
As I've written above I think that only the username is enough since I suppose all usernames are unique. Just keep a list with the usernames with already logged in users and check in it on every new try for login.
Of course on log of or timeout you have to remove the corresponding username from this list.
holtis, it's not tricky at all, you can find out the IP address of the client
simply by looking in the HTTP request header, if you don't have any other
solutions, that always works.

Also, most of web sites today implement such a security measure, to avoid
double logins. If you only check for a logged in username, as suggested
from WelkinMaze, you wont be able to accomplish your 2nd goal:

"2. Prevent multiple users of an ASP.NET application from using the same credentials to log in at the same time from different machines."

Now, you see, username is not enough, because you need to distinguish
the difference of the locations, thus, you need to know their ip address.
This is really not so hard as you may think it is. Just keep the pairs of
username-IP in the session and you shouldn't have problems with double

Tip: You can, however, store some additional fields from the HTTP
request header in the session, along with username-IP pair, because
it is highly improbable that client will change the configuration of his
browser/screen resolution/etc. while browsing your web site.
One field you could additionally store in a session would be "User-Agent"
because it is unlikely that user will change its browser while browsing ;)
When dealing with proxies, you can check for the X-FORWARDED-FOR
request header field along with the IP of the proxy.

The point is, you wont allow the SAME user to be logged in from a
different places. It is ok to have MORE different users logged in from
the same ip address. Got it? :)
HI nepostojeci_email,
1) Why do you think that my way does not prevent two simultaneous logins from different machines?? It does prevent such logins. When your username is already on the list with the logged ones there is not any difference which machine are you trying to log in from again - it simply won't happen since the username is already on the list with logged in names.
2) How you will differentiate between ten users with the same IP on the net - this is a common situation.

I really don't see the benefit of the IP here.
I don't intend to argue about the solutions. Every solution has its pros and cons.
I've just mentioned why I believe the username is not enough alone.

For 1) it is obvious if the user accidentaly closes its browser or clears the cookies
or anything similar, he wont be able even to logout from his account before the
session timeout expires. Not to mention if the user has turned off the cookies.
Or if I'm wrong, can you please explain the way how you plan to check for the
double logins?

for 2) read my previous post
"The point is, you wont allow the SAME user to be logged in from a
different places. It is ok to have MORE different users logged in from
the same ip address. Got it? :)"
holtisAuthor Commented:
Hi folks,

This url offers a possible solution to my problem, the problem here is the that I cant use the Session_End which I want to use in order to track how long the use is online.

Best regards

Got it (sorry I haven't seen your previous post, it has to appear while I have been writing).
But I do not agree.
Can you explain me the advantage of your approach if the user accidentaly closes its browser? Imagine we have ten users with the same IP. How would you recognize if this is the same user that accidentaly closes his browser when a new attempt for login arrives from the same IP (which is mapped to ten users) and with the same username? I don't see the way.
If you don't see such way either then really I don't see what is the benefit from the IP. Your way will do the same work as mine but with a little more work.
through the user-agent, session_id and some other fields in the session
that describe a single logged-in user, read my previous posts.

holtis, why can't you use Session_End ?
Can you use session at all?
Still do not see where is the benefit of the IP here? In my way the same things like session_id and so on could be used.
Your previous posts does not provide any benefit until your answer what is the benefit of the IP in the case that I have described above. And probably I can't see it because there is no benefit in this case. And if there is not a banefir in a particular case it removes the benefit entirely.
But whatever, try to help holtis with the other issue, I'm out of this thread.
WelkinMaze, it is obvious you haven't made any such system, so you speak like that..
Look at some solutions implemented on the internet and you will see the mostly used
solution handles IP addresses along with username/pass with or without cookies.
It's been used to prevent the session hijacking, which cannot be evaded. All those
measures have been taken to lower the possibility of the session hijacking.

The only valid thing, I can think of, holtis can use, is SSL. With ssl he won't have
such problems, but ssl implementation is not that easy. So, my final is "IP is not
necessairy but it lowers the probability of session hijacking", and that's why I
proposed it. With the username check only, you wont solve holtis' problem.

Anyway, WelkinMaze, you still didn't explain how would you solve these problems,
but you keep spending your time to argue about this solution? Why?
Nope, nepostojeci_email, you're the one that first mentioned me here. Remember?
And you're done that still do not answer my question - please, look above and please, do not reverse the things.
You're the one that starts something without explaining it. I don't say my solution is perfect (I know it is not) but it highly depends ont the particular needs of the akser. I said that the IP does not add any substantial value here (After your started the discussion with me). You still have not proven your statement at all.
And for your private information, I am working in a software company with 500 people developing web applications, so maybe I know what you're talking about. But this does not mean that you're right. You just repeat something without proving it. And as I have mentioned before the reason for that is that it cannot be proven. An IP address + username has no more value than just the username in the case when the IP address is used by ten users simultaneously.
Anyway, not much use in writing. Sorry if I've hurt your feelings. Nothing personal. :)
Try to help holtis for the other issue, I'm not familiar with ASP.NET.
It is obvious that you're not familiar not only with ASP but with this subject at all :)

I've already explained why it is important to track the IP address along with other
fields like User-Agent (which were mentioned by me, not you), and if you just hate
to read then it is not my problem, really. Not everybody use the proxy, and, as I said,
it is a measure of precaution. More precautions, more security. Do you got it now?

Anyway you're not the one who grants the points, so you don't need to get the
explanation, however if mr. holtis asks for such I'll very explain it to him.

For now, let's not argue any more, since you didn't answer me how did you
implement the security check to not allow the session hijack? ok?
Yes. There is nothing more to say to you. There is absolutely no use.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.