How to prevent multiple user logins in Asp.net

A common solution is to determine whether the user already exists in the Application when logging on to the user. If the user exists, an error is reported. If the user does not exist, it is added to the Application (the Application is shared by all sessions, the unique object of the entire web application ):
String strUserId = txtUser. Text;
ArrayList list = Application. Get ("GLOBAL_USER_LIST") as ArrayList;
If (list = null)
{
List = new ArrayList ();
}
For (int I = 0; I <list. Count; I ++)
{
If (strUserId = (list [I] as string ))
{
// The error message is displayed when you have logged on.
LblError. Text = "this user has logged on ";
Return;
}
}
List. Add (strUserId );
Application. Add ("GLOBAL_USER_LIST", list );


Of course, you can use Cache and other storage methods here.



The next step is to remove the user from the Application when the user exits. We can handle it in the Session_End event of Global. asax:

Void Session_End (object sender, EventArgs e)
{
// The code that runs when the session ends.
// Note: Only the sessionstate mode in the Web. config file is set
// The Session_End event is triggered only when InProc is used. If the session mode is set to StateServer
// Or SQLServer, the event is not triggered.
String strUserId = Session ["SESSION_USER"] as string;
ArrayList list = Application. Get ("GLOBAL_USER_LIST") as ArrayList;
If (strUserId! = Null & list! = Null)


{
List. Remove (strUserId );
Application. Add ("GLOBAL_USER_LIST", list );
}
}


There is no problem with this. The problem is that when you click the close button in the upper-right corner of the browser, the problem occurs. If the Session is closed directly, the Session expiration event will not be triggered immediately, that is, the Session will not be logged in after the browser is closed.



There are two processing methods:


1. Use Javascript

Add a piece of javascript code to each page:

Function window. onbeforeunload ()
{
If (event. clientX> document. body. clientWidth & event. clientY <0 | event. altKey ){
Window. open ("logout. aspx ");
}
}



Because the onbeforeunload method is executed when the browser is closed, refreshed, and the page is adjusted, You need to determine whether you have clicked the close button or pressed Alt + F4 to perform the true close operation.


Write the same method as Session_End in Page_Load of logout. aspx, and add the event onload = "javascript: window. close ()" to logout. aspx ()"


But there is still a problem. javascript may have different behaviors in different browsers, and it is not determined when it is closed through the file->.

2. Use the xmlhttp method (this method is not a problem after testing)

Add the following javascript to each page (these javascript can also be written in common, and each page can be introduced)



Var x = 0;
Function myRefresh ()
{
Var httpRequest = new ActiveXObject ("microsoft. xmlhttp ");
HttpRequest. open ("GET", "test. aspx", false );
HttpRequest. send (null );
X ++;
If (x <60) // 60 times, that is, the actual Session expiration time is 30 minutes.
{
SetTimeout ("myRefresh ()", 30*1000); // 30 seconds
}
}
MyRefresh ();



Set in web. config

<SessionState mode = "InProc" timeout = "1"> </sessionState>


The test. aspx page is an empty page, but you only need to add the following to Page_Load:

Response. Expires =-1;


Make sure that the cache is not used. You can call this page every time.

The principle is: Set the expiration time of the Session to one minute, and then regularly connect to the test page every 30 seconds on each page to keep the Session valid for 60 times in total, that is, 30 minutes. If the user does not perform the operation 30 minutes later, the Session will expire. Of course, if the user closes the browser directly, the Session will expire in one minute. In this way, the requirements can be met.