• Status: Solved
  • Priority: Medium
  • Security: Private
  • Views: 39
  • Last Modified:

Idea needed - how to prevent multiple logins to our site?

This is Web Forms, C# (Not MVC)

We have our website with Forms authentication. A client of the company ran security scan on our site and said this is a security risk that needs to be fixed:

1. User opens the browser, types in username/password and logs in
2. User can now open another tab and log in again
3. User can open another browser session and log in

So, the site is allowing multiple logins and we've been asked to fix this.

I had this idea
 When user logs in, we set a flag in the database. If user opens another tab or another browser session to log in again, we can check that flag and prevent a double login.

But, what if user X outs and doesn't click on the "log out" button?

Any ideas on how to go about this?
5 Solutions
Dr. KlahnPrincipal Software EngineerCommented:
Put a cookie on the system.  You probably do this already.  Make it a ten-minute cookie.

When a user authenticates, check to see if the cookie is there and whether it has expired.  If the cookie is there, state "You're already logged in.  Please return to the original session, or wait 10 minutes and try again."

During a session, periodically update the cookie to bump the time up another ten minutes.

When a user detaches, remove the cookie.

The downsides are:
  • This does not prevent multiple logins from multiple systems.
  • If the user's system crashes, they cannot log in for ten minutes.
  • If the user walks away from the system for ten minutes, they have to log in again.  Not necessarily a disadvantage, as far as security.
CamilliaAuthor Commented:
This is a good idea. Thanks
Wayne BarronCommented:
I agree with the cookie.
Do the following.

Log the user's Username and IP Address.
If the user logs in with another browser tab or window,
You then want to check if the user has logged in with the username, and IP Address from the cookie.
If the cookie exists, then show a warning.

You are currently logged in with another session, please close out of that session before logging in again.

This is what I use.
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

CamilliaAuthor Commented:
Thanks, Wayne. Good idea.
I would rather utilize the ASP.NET Cache for such, rather than the database. When a user logs in add a User tag to the cache and prevent user login if a tag is already present.

This will prevent multiple logins but since it is impossible to always perform a graceful logout a couple things need to happen additionally:

1- Set a short expiration on the cached tag (say 90 secs or something configurable).
2- Use Keepalive calls (Ajax or some other mechanism) to keep the cached item alive as long as the window remains open on the client end.

The first one will automatically logout a user after a certain time in the case of an ungraceful logout. The second one will prevent premature logouts.

The one pitfall you'll have to live with is users unable to login for some time after say they close the browser window.

Adding this after looking at other comments.

Cookies wont work across browsers and devices. What if I open tab on Android? What if I clear all cookies? What about Private Inpage browsing offered by all browsers?
CamilliaAuthor Commented:
The one pitfall you'll have to live with is users unable to login for some time after say they close the browser window.

Why is that?


Are the 2 other solutions use database caching?
Lets say you close the browser, the user tag will expire in 90 seconds (at most) and during that time you wont be able to login. You may reduce the expiration to say 60 secs at the cost of increased keepalive traffic.

Cookies are not a solution IMO.
CamilliaAuthor Commented:
Let me read and understand. Thanks
What about automatically loging the user out of any previous session instead of preventing a new log in?
CamilliaAuthor Commented:
Louisfr.... that's a good one too. So with that...we still need to know if user is already logged in, correct?

Join & Write a Comment

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now