2

I basically want to setup in my LogOn Action a conditional statement that looks at the username, and determines that username is already logged in.

At which point the user should be informed.

That account is logged in, if you think you've been hijacked...yada yada yada.

I thought I could add something after this conditional, is there something like my made up method Membership.CheckIfUserIsOnline(string username) out there already?

   if (ModelState.IsValid)
    {
        if (Membership.ValidateUser(model.UserName, model.Password))
        {
            //See the line below, I made this method up.
            if (Membership.CheckIfUserIsOnline(model.UserName){
                ModelState.AddModelError("", "Someone else is logged into this account.");
            }
Community
  • 1
  • 1
Doug Chamberlain
  • 11,192
  • 9
  • 51
  • 91

1 Answers1

3

If you're using Session State, I would store (ideally in an application-wide cache or alternatively in your application database) a record keyed on the User ID, storing the Session ID.

Then, check the logged-in User ID against the current Session ID when you're looking to detect multiple logons. If the Session ID stored in the database doesn't match the Session ID of the current Session, that may indicate multiple logons.

You have to deal with expiring the values from the data store (which is why an application-wide cache may be better than the application database) and with normal termination of a session (on logoff), but if you're only using it to alert the user, it's probably good enough.

Steve Morgan
  • 12,978
  • 2
  • 40
  • 49
  • +1. That's pretty much what we do. The SQL Membership provider doesn't track who is "logged in." Just the last activity time. – Craig Stuntz Jul 19 '11 at 17:51
  • @Steve Morgan, So then I have to create my own *expletive* Custom Membership provider, derived from SqlMembershipProvider? I was hoping I wouldn't have to create yet one more custom class....sigh. Also, if you have any links to some more info on your answer I'd appreciate it. – Doug Chamberlain Jul 19 '11 at 18:04
  • 1
    Well, personally, I wouldn't use SQL Membership Provider with ASP.NET MVC but use WIF, but that's because I'm a fan of federated authentication. But rather than building a new membership provider, maybe you could build a custom ActionFilter to apply to your controller methods: http://www.asp.net/mvc/tutorials/understanding-action-filters-cs – Steve Morgan Jul 19 '11 at 18:07