Idea needed - how to prevent multiple logins to our site?

This is Web Forms, C# (Not MVC)

We have our website with Forms authentication. A client of the company ran security scan on our site and said this is a security risk that needs to be fixed:

1. User opens the browser, types in username/password and logs in
2. User can now open another tab and log in again
3. User can open another browser session and log in

So, the site is allowing multiple logins and we've been asked to fix this.

I had this idea
 When user logs in, we set a flag in the database. If user opens another tab or another browser session to log in again, we can check that flag and prevent a double login.

But, what if user X outs and doesn't click on the "log out" button?

Any ideas on how to go about this?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dr. KlahnPrincipal Software EngineerCommented:
Put a cookie on the system.  You probably do this already.  Make it a ten-minute cookie.

When a user authenticates, check to see if the cookie is there and whether it has expired.  If the cookie is there, state "You're already logged in.  Please return to the original session, or wait 10 minutes and try again."

During a session, periodically update the cookie to bump the time up another ten minutes.

When a user detaches, remove the cookie.

The downsides are:
  • This does not prevent multiple logins from multiple systems.
  • If the user's system crashes, they cannot log in for ten minutes.
  • If the user walks away from the system for ten minutes, they have to log in again.  Not necessarily a disadvantage, as far as security.
CamilliaAuthor Commented:
This is a good idea. Thanks
Wayne BarronAuthor, Web DeveloperCommented:
I agree with the cookie.
Do the following.

Log the user's Username and IP Address.
If the user logs in with another browser tab or window,
You then want to check if the user has logged in with the username, and IP Address from the cookie.
If the cookie exists, then show a warning.

You are currently logged in with another session, please close out of that session before logging in again.

This is what I use.
Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

CamilliaAuthor Commented:
Thanks, Wayne. Good idea.
I would rather utilize the ASP.NET Cache for such, rather than the database. When a user logs in add a User tag to the cache and prevent user login if a tag is already present.

This will prevent multiple logins but since it is impossible to always perform a graceful logout a couple things need to happen additionally:

1- Set a short expiration on the cached tag (say 90 secs or something configurable).
2- Use Keepalive calls (Ajax or some other mechanism) to keep the cached item alive as long as the window remains open on the client end.

The first one will automatically logout a user after a certain time in the case of an ungraceful logout. The second one will prevent premature logouts.

The one pitfall you'll have to live with is users unable to login for some time after say they close the browser window.

Adding this after looking at other comments.

Cookies wont work across browsers and devices. What if I open tab on Android? What if I clear all cookies? What about Private Inpage browsing offered by all browsers?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CamilliaAuthor Commented:
The one pitfall you'll have to live with is users unable to login for some time after say they close the browser window.

Why is that?


Are the 2 other solutions use database caching?
Lets say you close the browser, the user tag will expire in 90 seconds (at most) and during that time you wont be able to login. You may reduce the expiration to say 60 secs at the cost of increased keepalive traffic.

Cookies are not a solution IMO.
CamilliaAuthor Commented:
Let me read and understand. Thanks
What about automatically loging the user out of any previous session instead of preventing a new log in?
CamilliaAuthor Commented:
Louisfr.... that's a good one too. So with that...we still need to know if user is already logged in, correct?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.