Enforce Single Login Of User At a Time

Enforce Single Login Of User At a Time

Old forum URL: forums.lhotka.net/forums/t/11760.aspx

KeniM posted on Wednesday, December 19, 2012

My company is using the CSLA .NET Framework with Silverlight 5 to build an application and we want to ensure that a user can only log in from one computer at a time. This seems a little tricky in Silverlight 5 due to the way it works, but I was wondering if there was anything in CSLA .NET that might help make this easier, or if you had any suggestions.

We are currently using the CslaPrincipal and the CslaIdentityBase to log the user in as show in the CSLA examples.


skagen00 replied on Wednesday, December 19, 2012

We do this by leveraging a session key that ends up travelling with each request to the server.  Within a client's database we maintain a list of active sessions.  The session keys are like GUIDS and get assigned when a user is authenticated.

If a request is made with a session key that is no longer valid, we consider the user's session expired.  (It raises a "timeout" exception and the we catch that in SL and log the user out of the application).


KeniM replied on Wednesday, December 19, 2012

So in this scenario, if the user logged in from a different computer, it would log out the user who first logged in? Is there any way to do it in reverse? Like disallowing the logging in of the second person rather than logging out the first person?

Due to the way the program works, we were hoping to just block people from logging in with user IDs that are already in use, but we're worried this may lock out users if the user exits the program in an abnormal way, such as the computer losing power.

skagen00 replied on Wednesday, December 19, 2012

Yes it would log out the user who first logged in - it would expire that user's session.

For us, it's about seat-licensing enforcement.

To figure out if a user Id is already in use, you have to know whether or not a session is active.  With Web (including Silverlight) that isn't cleanly answerable. 

In the scenario where a computer loses power, the user (under the mechanism we use) could log right back in and keep going.  Under your scenario you have to judge (through number of minutes since last request, etc) whether that user session can be discarded and then let the new session to begin.

What kind of peculiarities make the way I end up doing it not work with your application? ("Due to the way the program works...")

KeniM replied on Wednesday, December 19, 2012

Our program pulls most of the data from the server which the Silverlight application can then show in various formats. While pulling the data from the server is one of the main functions, the actual manipulation of the data takes up the majority of the user's time. As such, we're concerned a user could pull up the data that they wanted, and then let another user log in on a different computer with the same credentials. So long as the first user doesn't try to pull anymore data, two users can be logged in at the same time with no problem, since the first one doesn't touch the server for a while.

The concern that someone would use the program like that is a minor one, though, and so I was just curious if there was a way that it might work in reverse, but it seems a little bit too inconvenient for the user. As such, your solution seems like a lot better one. Thanks for the help!

Copyright (c) Marimer LLC