Same user login into appliction from different browsers or devices

Surendra Adhikari 206 Reputation points
2020-11-18T11:14:30.77+00:00

When same user logs into the application from different browsers or devices we validate one login session and invalidate the other and allow the valid session to perform actions in the application. We deny any action the user performs from the invalid session and logout that session. The session id is stored in the table. We are validating the latest login session and invalidating the previous one. So for every action done by the user a check is done to know whether there is a new login session of the same user in the session id table. Since the transactions are done by the users in very high frequency the frequency of this check will also be very high which may slow down the performance. So what is the best practice of managing this situation?

.NET
.NET
Microsoft Technologies based on the .NET software framework.
3,415 questions
ASP.NET
ASP.NET
A set of technologies in the .NET Framework for building web applications and XML web services.
3,288 questions
C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
10,306 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Cheong00 3,471 Reputation points
    2020-11-19T02:17:25.97+00:00

    If you're working on single-server configuration that's not on cloud, I've once implemented a static Dictionary of username, session-key value and timeout, with username as key.

    On each request, try to get user record from this dictionary. If found, check the session key and see if the request are from the same client. If not, check the timeout value, and throw error denying access to server. On other cases, create the record if not exist, and update its timeout to current time if already exist and is the same session.

    If you're working on multiple server/cloud, you can implement similar thing on SQL server tables. I would be less worry about performance given that ASP.NET user sessions are either on dedicated SessionServer or SQL server already.

  2. XuDong Peng-MSFT 10,176 Reputation points Microsoft Vendor
    2020-11-19T10:43:32.237+00:00

    Hi @Surendra Adhikari ,

    According to your description, I recommend that you try to use cache. When the user login successfully, create a cache entry for the user and save the unique sessionID.
    Something like: 

    if(Cache.ContainsKey["Login_" + username])  
    // Handle "Another session exists" case here  
else  
    Cache.Add("Login_" + username, this.Session.SessionID);

    And at the end of the session, delete the cached information. For example, Session_End event in global.asax: 

    if(Cache.ContainsKey["Login_" + username])  
    Cache.Remove("Login_" + username);

    The Cache is better managed and can be made to be synced across web farms or multiple threads with functions such as load balancing. Others (static or application) are only in the process, in this case there will be no guarantee for a single object. But if this is not the case, you could also use the static dictionary mentioned by other members.

    Best regards,
    Xudong Peng

    If the answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.