3

How to tackle this session problem in ASP.NET,VB.NET?

The following requirement are there:

When the authorized user logs into the system that user is not allowed to login from another computer or in different browser other than that user is using right at this time.

The remedy we applied was: We have kept "Is_Loggedin" as a column with data type "bit" in a mst_vendor as a table name. When a user logs in we set the flag, Is_Loggedin, to "1" and each time when someone tries to log in using this account, the system is showing the error "The user is already logged in.".

When the user logs out it turns to "0" as the logout procedure calls as soon as the user clicks the log out button.

Problem scenario:

  1. When the user closes the browser the flag remains the same, that is, "1".

  2. When power gets off, it remains the same as "1".

  3. If the session timeouts after a predefined value it remains the same.

  4. There may be different scenarios other than this.

Is there any way so that we can store this internal flagging for the user's login status using the application object?

It may improve efficiency of the system and also eliminates the above problematic scenarios.

Improve this question
1
  • 1
    if you want a vb.net answer, why the C# and C++ tags? Commented Nov 30, 2010 at 12:12

5 Answers 5

Reset to default
4

You should use the Global.asax file and use the Session_End function.

Session_End: Fired when a user's session times out, ends, or they leave the application Web site.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I'll believe it when I see it, how can the server possibly be aware when the browser is closed?
It isn't made aware of when the browser is closed, but the session will eventually timeout and Session_End will be raised/fired.
Note: the Session_End will only fire for 'InProc' sessions.
2

Store a datetime as another column next to the bit, and update it each and every time the user requests a page.

When a new user comes along with the same credentials and the bit is "1" you can check the datetime, and if it was a while ago you can be certain the user is no longer there. So let the login go ahead.

Improve this answer

Comments

0

You could keep a pulse going in script, and when the pulse times out, consider the user finished with that session.

The benefit to this is that you can tell the difference between the user sitting idle on the site and the user leaving the site.

Improve this answer

Comments

0

From a very top level view, here is what you can do

  • Use Cache with SlidingExpiration.

  • Everytime a user attempts login, check the cache with his username as the key. If an entry exists in the cache, you can say that user is already logged in and deny login.

  • If the key is not found, allow login and create a new key in the cache as the username and set the sliding expiration time. (This should be carefully chosen as this would be the duration, the user wouldnt be locked out after the browser is closed and user attempts to relogin.)

  • In the Application_PreRequestHandlerExecute handler in Global, check if the user is currently active (you can use sessions for this), reset the sliding expiration time for the user. This way, with each page request the cache expiration time would be reset.

  • If the user closes the browser and moves off, the cache would expire after the set period of time, and would free the user to log in again.

  • if in case the user attempts to login again before the cache expires, the user would have to wait for some time to let the cache expire.

  • if the user logs off properly, you can remove the cache entry on the logoff event such that user doesnt have to wait to relogin.

The Sliding expiration timeout can be synced with session timeout to emulate the actual session timeout for the application.

With this approach, you would also save on a lot of database round trips to update/check the user status and this would work irrespective of the hosting enviornment or the session modes.

Improve this answer

Comments

0

Yeah, a script would be a good idea. Just set the session timeout to be 5 minutes instead of 20 and then write a method into session.end in the global.asax file that updates the database accordingly.

Improve this answer

4 Comments

This won't fire if a powercut was to happen
Why not? If there's a power outage at the client, the session will timeout as normal.
I assumed they meant in general i.e. their whole company including servers
Indeed, a power outage at the server would mean the Session_End wouldn't fire as normal. I'm not sure what would happen. A recovery plan should include a reset of these flags.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.