A few years ago I developed a web app for which we wanted to make sure the users weren’t sharing credentials.
One of the things we decided to to, was only allow the user to be logged in from one computer at a time. The way I did this, was to have a little iframe ping the server every N seconds; as long as the server had a heartbeat for a particular user (from a particular IP), that user was not allowed to log in from any other IP.
The solution, although approved by my manger, always seemed hacky to me. Also, it seems like it would be easy to circumvent.
Is there a good way to make sure a web app user only logs in once? To be honest, I never understood why management even wanted this feature. Does it make sense to enforce this on distributed apps?
I’ve implemented this by maintaining a hashtable of currently logged in users, the key was the username, the value was their last activity time.
When logging in, you just check this hashtable for the key, and if it exists, reject the login.
When the user does anything, you update the hashtable with the time (This is easy if you make it part of the core page framework).
If the time in the hashtable is greater than 20 minutes of inactivity, you remove them. You can do this every time the hashtable is checked, so even if you only had one user, and the tried to login several hours later, during that initial check, it would remove them from the hashtable for being idle.
Some examples in C# (Untested):