Camillia
asked on
Idea needed - how to prevent multiple logins to our site?
This is Web Forms, C# (Not MVC)
We have our website with Forms authentication. A client of the company ran security scan on our site and said this is a security risk that needs to be fixed:
1. User opens the browser, types in username/password and logs in
2. User can now open another tab and log in again
3. User can open another browser session and log in
So, the site is allowing multiple logins and we've been asked to fix this.
I had this idea
When user logs in, we set a flag in the database. If user opens another tab or another browser session to log in again, we can check that flag and prevent a double login.
But, what if user X outs and doesn't click on the "log out" button?
Any ideas on how to go about this?
We have our website with Forms authentication. A client of the company ran security scan on our site and said this is a security risk that needs to be fixed:
1. User opens the browser, types in username/password and logs in
2. User can now open another tab and log in again
3. User can open another browser session and log in
So, the site is allowing multiple logins and we've been asked to fix this.
I had this idea
When user logs in, we set a flag in the database. If user opens another tab or another browser session to log in again, we can check that flag and prevent a double login.
But, what if user X outs and doesn't click on the "log out" button?
Any ideas on how to go about this?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The one pitfall you'll have to live with is users unable to login for some time after say they close the browser window.
Why is that?
----
Are the 2 other solutions use database caching?
Lets say you close the browser, the user tag will expire in 90 seconds (at most) and during that time you wont be able to login. You may reduce the expiration to say 60 secs at the cost of increased keepalive traffic.
Cookies are not a solution IMO.
Cookies are not a solution IMO.
ASKER
Let me read and understand. Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Louisfr.... that's a good one too. So with that...we still need to know if user is already logged in, correct?
ASKER