Share via

Already logon. Then, must prevent same User Id being used to login

Jerry Lipan 916 Reputation points
2022-06-14T11:21:38.32+00:00

Hi. I'm not using Identity. I create my own Login Authentication

So far, I can Login using below 

 private async Task SignInAsync(string UserId, List<string> Roles)  
        {  
            var claims = new List<Claim>  
            {  
                new Claim(ClaimTypes.Name, UserId),  
                new Claim("MyCustomClaim", "my claim value")  
            };  
  
            //Add roles as multiple claims  
            foreach (string role in Roles)  
            {  
                claims.Add(new Claim(ClaimTypes.Role, role));  
            }  
  
            var claimsIdentity = new ClaimsIdentity(  
                claims, CookieAuthenticationDefaults.AuthenticationScheme);  
  
            var authProperties = new AuthenticationProperties  
            {  
                ExpiresUtc = DateTime.Now.AddMinutes(Convert.ToDouble(_iconfiguration["LoginExpiresUtc"])),  
            };  
                  
            await HttpContext.SignInAsync(  
                CookieAuthenticationDefaults.AuthenticationScheme,  
                new ClaimsPrincipal(claimsIdentity), authProperties);  
        }

Based on this - How to prevent multiple login? I saw this,

211342-14062022-001.png

Every login, I can store data into session or database. But I don't understand " Change their security stamp "

I need technical guide and sample to achieve prevent multiple login

Please help

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,595 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bruce (SqlWork.com) 66,056 Reputation points
    2022-06-14T18:43:00.077+00:00

    its pretty simple. when the user logins, update the users unique value in a database table, and also store the guid in a cookie. then on every request, read the database value and compare to the cookie value. if they do not match, logout user.

    this is the last login wins approach.

    asp.net core identity has this built in support to write the stamp on login, and add the claim to the cookie:

    https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.identity.usermanager-1.updatesecuritystampasync?view=aspnetcore-6.0

    the next question is how often to check. you can check the security stamp claim on every request via cookie authentication callback.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.