Idea needed - how to prevent multiple logins to our site?

This is Web Forms, C# (Not MVC)

We have our website with Forms authentication. A client of the company ran security scan on our site and said this is a security risk that needs to be fixed:

1. User opens the browser, types in username/password and logs in
2. User can now open another tab and log in again
3. User can open another browser session and log in

So, the site is allowing multiple logins and we've been asked to fix this.

I had this idea
 When user logs in, we set a flag in the database. If user opens another tab or another browser session to log in again, we can check that flag and prevent a double login.

But, what if user X outs and doesn't click on the "log out" button?

Any ideas on how to go about this?
Who is Participating?

Improve company productivity with a Business Account.Sign Up

ambienceConnect With a Mentor Commented:
I would rather utilize the ASP.NET Cache for such, rather than the database. When a user logs in add a User tag to the cache and prevent user login if a tag is already present.

This will prevent multiple logins but since it is impossible to always perform a graceful logout a couple things need to happen additionally:

1- Set a short expiration on the cached tag (say 90 secs or something configurable).
2- Use Keepalive calls (Ajax or some other mechanism) to keep the cached item alive as long as the window remains open on the client end.

The first one will automatically logout a user after a certain time in the case of an ungraceful logout. The second one will prevent premature logouts.

The one pitfall you'll have to live with is users unable to login for some time after say they close the browser window.

Adding this after looking at other comments.

Cookies wont work across browsers and devices. What if I open tab on Android? What if I clear all cookies? What about Private Inpage browsing offered by all browsers?
Dr. KlahnConnect With a Mentor Principal Software EngineerCommented:
Put a cookie on the system.  You probably do this already.  Make it a ten-minute cookie.

When a user authenticates, check to see if the cookie is there and whether it has expired.  If the cookie is there, state "You're already logged in.  Please return to the original session, or wait 10 minutes and try again."

During a session, periodically update the cookie to bump the time up another ten minutes.

When a user detaches, remove the cookie.

The downsides are:
  • This does not prevent multiple logins from multiple systems.
  • If the user's system crashes, they cannot log in for ten minutes.
  • If the user walks away from the system for ten minutes, they have to log in again.  Not necessarily a disadvantage, as far as security.
CamilliaConnect With a Mentor Author Commented:
This is a good idea. Thanks
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Wayne BarronConnect With a Mentor Author, Web DeveloperCommented:
I agree with the cookie.
Do the following.

Log the user's Username and IP Address.
If the user logs in with another browser tab or window,
You then want to check if the user has logged in with the username, and IP Address from the cookie.
If the cookie exists, then show a warning.

You are currently logged in with another session, please close out of that session before logging in again.

This is what I use.
CamilliaAuthor Commented:
Thanks, Wayne. Good idea.
CamilliaAuthor Commented:
The one pitfall you'll have to live with is users unable to login for some time after say they close the browser window.

Why is that?


Are the 2 other solutions use database caching?
Lets say you close the browser, the user tag will expire in 90 seconds (at most) and during that time you wont be able to login. You may reduce the expiration to say 60 secs at the cost of increased keepalive traffic.

Cookies are not a solution IMO.
CamilliaAuthor Commented:
Let me read and understand. Thanks
louisfrConnect With a Mentor Commented:
What about automatically loging the user out of any previous session instead of preventing a new log in?
CamilliaAuthor Commented:
Louisfr.... that's a good one too. So with that...we still need to know if user is already logged in, correct?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.