I basically want to setup in my LogOn Action a conditional statement that looks at the username, and determines that username is already logged in.
At which point the user should be informed.
That account is logged in, if you think you've been hijacked...yada yada yada.
I thought I could add something after this conditional, is there something like my made up method Membership.CheckIfUserIsOnline(string username) out there already?
if (ModelState.IsValid)
{
if (Membership.ValidateUser(model.UserName, model.Password))
{
//See the line below, I made this method up.
if (Membership.CheckIfUserIsOnline(model.UserName){
ModelState.AddModelError("", "Someone else is logged into this account.");
}
If you're using Session State, I would store (ideally in an application-wide cache or alternatively in your application database) a record keyed on the User ID, storing the Session ID.
Then, check the logged-in User ID against the current Session ID when you're looking to detect multiple logons. If the Session ID stored in the database doesn't match the Session ID of the current Session, that may indicate multiple logons.
You have to deal with expiring the values from the data store (which is why an application-wide cache may be better than the application database) and with normal termination of a session (on logoff), but if you're only using it to alert the user, it's probably good enough.
Related
In Codeigniter, how do I remove specific user's session?
I have set login session like below. And I want to remove specific MemId's LoggedIn(in other words, session for just one user) assuming there are about 1000 users.
$this->session->set_userdata([
'LoggedIn'=>true,'MemId'=>PrimaryKey
]);
When user logged in you are setting two session variables.One is LoggedIn and another 'MemId' which is the primary key of member.So,first retrieve the logged in user member id from database then unset it.Might work properly.
MemId is the member id of user for which you want to remove session.
$this->session->unset_userdata('MemId');
What is the best way to securely login in a user and keep the user signed in with cookies and sessions?
For example:
Check if password and email are valid for a specific user
Set a cookie with arbitrary string
Create a session with the same arbitrary string
Validate each request by the user by making sure the arbitrary strings of the cookie and session are the same
What is the best way to securly login in a user and keep the user signed in with cookies and sessions?
Using an established library.
It depends on how you define "create a session". For our purposes here let's define this as "create a server-side data store with an id and set a cookie with that id"; i.e. what the default session_start() does. Then:
Ensure the connection is HTTPS.
Check login credentials.
If valid, create a session (see above) with a large, (pseudo-)random id and an expiration time as short as possible but as long as necessary. Security here comes from the fact that it's infeasible to guess suitably random session ids, so the longer they are and the shorter their window of validity is the better.
Store the id of the logged in user in the session.
On each page request, see if the session with the id from the cookie exists; if so, use the user id stored in it to get your logged in user.
Optionally storing and checking the user agent is not a bad idea; you should not check the IP address though, as that may change legitimately.
Apart from storing it in sessions , you can also follow this method for keeping an user logged in , even after he closes the browser ->
1) Create a cookie storing user details and an unique hash
2) Create a sessions table (in a mysql db or any other db of your choice) where the unique hash is stored against the user-id, and the user agent of the browser,and the ip address .
3) Next time when the user logs in check that when the user logs in , is it from the same ip,same user agent .. If not , then delete the database entry , and repeat steps 1 and 2.
Apart from keeping an user logged in , it also gives you better security than just storing in sessions.
I have found that Code Igniter has already ci_sessions table which stores users session ids in it. I understand the main purpose of that table. Just I want to clarify how I can validate with ci_session table data with my current user login session id?
Basically , I am trying to do User login one place at a time. Multiple login's to be prevented. How can I do this?
You couldn't do that with session ID's since logging in from another location would create a new session ID at that new location.
Store the userID to the session then check it on login.
$this->db->where('userId',$userId);
$result = $this->db->get('ci_session');
if($result->num_rows() > 0)
{
//log out old user, throw error, whatever
} else {
//continue with login
}
By storing the user id in the session data and adding it as a column to the sessions table, you can remove all sessions of that user id on login before the session data is created. This will invalidate any session of the same user. For further explanation on how to do this, see here: https://stackoverflow.com/a/9564433/89211
In my struts2 application, in the login action I am placing the user and role in the session.
I want to keep track of all the users who logged in so as to do stuff like following :
Avoid multiple login of same user-id.
Check wheather a user is looged in or not ! Or any body with role Admin is logged in or not !
and in some other actions !
How to do it any suggestion!
And also how to maintain the issues like
User close browser without loggin ! etc
Any material with more information of session can also realy help !
You can have a column in you user table called logged_in_time (timestamp type) and update it with the time when user logs in and make it null when user logs out.
Avoid multiple login of same user-id: : check if this columns alreadt has some value or not.
Check whether a user is looged in or not : check if that column is null or not.
User close browser without logging out : A schduler job may be, that runs at fixed interval of time to check the session(using sessionid may be) of the user and update this field accordingly.
Take a look at this discussion for further information. And another one.
In my application I have an administrator who can create Tournament objects. When the object is created the service also creates a user (based on the tournament director's info which was entered at creation). The username for the user is the director's e-mail, the password is randomly generated and then mailed to the director.
When the director logs on with his e-mail address and password, I need to be able to link him to his own tournament, in order to only allow him to edit his own tournament's details. I have tried to find a way to store the TournamentId in the default ASP Net Users database, but was unsuccessful.
I had a look at this SO question which would certainly help me, but I can't figure out how it would apply to my problem. When the user logs on, I can't put the TournamentId in the userdata seeing as I don't know it.
Should I then do a lookup in the Tournament table to see which ID corresponds to the email address entered at login and store that in the userData? It seems quite unelegant this way.
I guess you should have a CreatedBy column in your Tournament table where you store the ID of the user who created the tournament. Then when the user logged in, get his id ( may be from session ,if you store it there), Do a select query where CreatedBy=loggedInUserId .That should do the trick.