Develop Reference

How to prevent multiple login to the same account in ASP.NET Core

I'm using ASP.NET Core 6 Identity for login system. I want to prevent multiple login to the same account.
My Identity settings are:
//For custom Identity
string connection = configuration.GetConnectionString("DefaultConnection");
builder.Services.AddIdentity<AppUser, AppRole>(options =>
{
options.User.RequireUniqueEmail = false;
options.Password.RequireDigit = true;
options.Password.RequireUppercase = false;
options.Password.RequiredUniqueChars = 0;
options.Password.RequireUppercase = false;
options.Password.RequireNonAlphanumeric = false;
options.Password.RequiredLength = 6;
options.Lockout.MaxFailedAccessAttempts = 10;
options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(15);
options.Tokens.PasswordResetTokenProvider = TokenOptions.DefaultProvider;
}).AddEntityFrameworkStores<IdentityAppContext>().AddDefaultTokenProviders();
I searched some similar questions but none of them could help me to implement this feature in ASP.NET Core 6.
Please guide me.

What is the Use Case for denying access while logged in?
"When someone logged in, no body can log in to that account until he closes the browser or logs out manually"
That would require logic like:
On Login, throw error if tokenHasBeenIssued, by querying the server db.
On Login, if no server token for user, createToken.
On Logout, a clean db, removeUserToken
but, when someone closes their browser there is no message sent to the server, so you'd never clear the token, so you'd get one login granted and then they would be logged out forever.
Maybe this scenario is fixable with a hack of a 'Timed cron job to clear all old tokens'?
I would suggest implement two factor authentication or even delegate your auth needs to third party provider, eg Auth0 or Azure AD, etc.

If you mean to stay signed in, you need to implement a token(for example, JWT Token) and use User ID or username directly without logging in again.

Spring LDAP ADLDS user permission for changing password/ password policy issue

When using Spring LDAP template to change a password it is currently using the below code sample
Attribute attr = new BasicAttribute("userPassword", newPassword);
ModificationItem item = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, attr);
ldapTemplate.modifyAttributes(dn, new ModificationItem[] {item});
We are currently using a admin user to establish connection with LDAP and that is able to change the password for the users. Even though we have a password policy set in ADLDS to prevent users from setting last 12 passwords we are still able to change. What is the permission that I can set in ADLDS or spring code to achieve the above functionality?

What causes an express session to regenerate?

What causes express sessions to be generated on a new page load?
I'm only seeing it happen for users that were on my system before I moved my server to a new box.
New users can create logins and authenticate no problem.
An existing user attempts to login and they get a new session when the login process takes them from "/login" to "/authed".
I know this is happening because I'm looking at the req.sessionID. For new users it stays the same throughout, for existing users (ie from the old box) it regenerates.
Here's a sample of a failing request - on login im setting session vars so I need that same session on the /authed request
2015-01-28T20:01:19.548Z : worker 1 : POST : /login
sess_id : hx_9U_1IXYvtgrGEwvFAWGcVKCR0e-zH
sess_id : hx_9U_1IXYvtgrGEwvFAWGcVKCR0e-zH
2015-01-28T20:01:19.760Z : worker 1 : GET : /authed
sess_id : nZWUdTgCnba_vPR8ZgHLo3WkXZW-25UY
Edit: I'm using redis as a store for my session.
Thanks

Liferay: Get Unique session id on every login

I'm writing a code to keep audit trails of every login on my application. For that, I'm getting session id from AuditRequestThreadLocal object by using auditRequestThreadLocal.getSessionID().
Problem is: It is giving same sessionId for user on every login(multiple login of same user).
Regarding that, I fetch sessionId from HttpRequest but It also returns same sessionId for that user on every login.
P.S. (In case of TOMCAT, It seems working fine but In the case of JBOSS it is returning same sessionId)
Thanks.

You can try with this solution:
inside the portlet.properties, set session.enable.phishing.protection=true :
#
# Set this to true to invalidate the session when a user logs into the
# portal. This helps prevents phishing. Set this to false if you need the
# guest user and the authenticated user to have the same session.
#
# Set this to false if the property "company.security.auth.requires.https"
# is set to true and you want to maintain the same credentials across HTTP
# and HTTPS sessions.
#
session.enable.phishing.protection=true

You can try apply in your portal-ext the next properties:
session.enable.phishing.protection=true
session.phishing.protected.attributes=OPEN_ID_CONNECT_SESSION

How to get to know that new user is logged in using spring security

I have implemented spring security and I can get all the logged in user by using the following code and display them under online tag
for (Object user: sessionRegistry.getAllPrincipals()) {
User onlineUser = (User) user;
onlineUsersIds.add(onlineUser.getId());
}
Is this possible to know that a user is just logged in so that I can update the online users list or I have to check sessionRegistry on every 5 or 10 minutes and then update user list every 5 or 10 minutes.
Please let me know if you need any other detail.

i would use this: javax.servlet.http.HttpSessionBindingListener
http://docs.oracle.com/javaee/5/api/javax/servlet/http/HttpSessionBindingListener.html
this would be on a 'per session' basis.
so everytime someone is authenticated, spring security puts certain values inside the session.
what you do is, check for that session attribute with the 'valueBound' and 'valueUnbound' methods.
these methods would get an application scoped 'set' or synchronized 'set' process them accordingly
everytime you render a page, you just read from the application scoped set