Alpha Software Mobile Development Tools:   Alpha Anywhere    |   Alpha TransForm subscribe to our YouTube Channel  Follow Us on LinkedIn  Follow Us on Twitter  Follow Us on Facebook
Devcon 2020 Goes Virtual! LEARN MORE >

Announcement

Collapse

The Alpha Software Forum Participation Guidelines

The Alpha Software Forum is a free forum created for Alpha Software Developer Community to ask for help, exchange ideas, and share solutions. Alpha Software strives to create an environment where all members of the community can feel safe to participate. In order to ensure the Alpha Software Forum is a place where all feel welcome, forum participants are expected to behave as follows:
  • Be professional in your conduct
  • Be kind to others
  • Be constructive when giving feedback
  • Be open to new ideas and suggestions
  • Stay on topic


Be sure all comments and threads you post are respectful. Posts that contain any of the following content will be considered a violation of your agreement as a member of the Alpha Software Forum Community and will be moderated:
  • Spam.
  • Vulgar language.
  • Quotes from private conversations without permission, including pricing and other sales related discussions.
  • Personal attacks, insults, or subtle put-downs.
  • Harassment, bullying, threatening, mocking, shaming, or deriding anyone.
  • Sexist, racist, homophobic, transphobic, ableist, or otherwise discriminatory jokes and language.
  • Sexually explicit or violent material, links, or language.
  • Pirated, hacked, or copyright-infringing material.
  • Encouraging of others to engage in the above behaviors.


If a thread or post is found to contain any of the content outlined above, a moderator may choose to take one of the following actions:
  • Remove the Post or Thread - the content is removed from the forum.
  • Place the User in Moderation - all posts and new threads must be approved by a moderator before they are posted.
  • Temporarily Ban the User - user is banned from forum for a period of time.
  • Permanently Ban the User - user is permanently banned from the forum.


Moderators may also rename posts and threads if they are too generic or do not property reflect the content.

Moderators may move threads if they have been posted in the incorrect forum.

Threads/Posts questioning specific moderator decisions or actions (such as "why was a user banned?") are not allowed and will be removed.

The owners of Alpha Software Corporation (Forum Owner) reserve the right to remove, edit, move, or close any thread for any reason; or ban any forum member without notice, reason, or explanation.

Community members are encouraged to click the "Report Post" icon in the lower left of a given post if they feel the post is in violation of the rules. This will alert the Moderators to take a look.

Alpha Software Corporation may amend the guidelines from time to time and may also vary the procedures it sets out where appropriate in a particular case. Your agreement to comply with the guidelines will be deemed agreement to any changes to it.



Bonus TIPS for Successful Posting

Try a Search First
It is highly recommended that a Search be done on your topic before posting, as many questions have been answered in prior posts. As with any search engine, the shorter the search term, the more "hits" will be returned, but the more specific the search term is, the greater the relevance of those "hits". Searching for "table" might well return every message on the board while "tablesum" would greatly restrict the number of messages returned.

When you do post
First, make sure you are posting your question in the correct forum. For example, if you post an issue regarding Desktop applications on the Mobile & Browser Applications board , not only will your question not be seen by the appropriate audience, it may also be removed or relocated.

The more detail you provide about your problem or question, the more likely someone is to understand your request and be able to help. A sample database with a minimum of records (and its support files, zipped together) will make it much easier to diagnose issues with your application. Screen shots of error messages are especially helpful.

When explaining how to reproduce your problem, please be as detailed as possible. Describe every step, click-by-click and keypress-by-keypress. Otherwise when others try to duplicate your problem, they may do something slightly different and end up with different results.

A note about attachments
You may only attach one file to each message. Attachment file size is limited to 2MB. If you need to include several files, you may do so by zipping them into a single archive.

If you forgot to attach your files to your post, please do NOT create a new thread. Instead, reply to your original message and attach the file there.

When attaching screen shots, it is best to attach an image file (.BMP, .JPG, .GIF, .PNG, etc.) or a zip file of several images, as opposed to a Word document containing the screen shots. Because Word documents are prone to viruses, many message board users will not open your Word file, therefore limiting their ability to help you.

Similarly, if you are uploading a zipped archive, you should simply create a .ZIP file and not a self-extracting .EXE as many users will not run your EXE file.
See more
See less

Prevent multiple logins and limit max users

Collapse
X
Collapse
 
  • Page of 2
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 template Next
    #16
    Re: Prevent multiple logins and limit max users

    How do you propose to keep track of the total number of logged in users so they don't exceed their maximum?

    Comment

      #17
      Re: Prevent multiple logins and limit max users

      Every time they log in or log out he is creating a record of it.

      He is also tracking their session expiration time.

      So at any point he knows who is logged in or who forgot to logout and their session has expired.

      Comment

        #18
        Re: Prevent multiple logins and limit max users

        I am recording all of that along with the user agent and ip address. So now we're back to the reply I gave you originally about how this doesn't prevent an unscrupulous user from logging in with the same credentials multiple times because somewhere along the line I've got to remove the user record if they forget to logout and close their browser. In any event, I do like your idea of showing the company a list of current logins although this app is for a niche market and most of my clients only have one or two users and not more than five.

        Comment

          #19
          Re: Prevent multiple logins and limit max users

          In Each UX you can setup a session timeout warning.

          If that time out expires, then you can have it return to the login page.

          Comment

            #20
            Re: Prevent multiple logins and limit max users

            I meant to add - Of course, that doesn't do any good if they close their browser window without logging out.

            Comment

              #21
              Re: Prevent multiple logins and limit max users

              Trust me, I've tried a dozen different approaches and there's always a way to "beat the system". I'm in agreement with you in that I couldn't care less if they login 3 times with the same credentials or 3 different users as long as they don't exceed their licensed user count. I have several checks in place when a user attempts to login but the two most important are making sure that the login would not exceed the max user count and if they're already logged in (because there's a record in the logged in user table and they might have forgotten to logout) then I prompt them to either logout from the other session (if it's still open) or I display the number of minutes/seconds until it times out and then they can login again. If it's legit then the only downside is they have to wait a few minutes before logging in again, depending on how far they were into the session. But if it's someone trying to get tricky and there is another user still using the session then it will get updated every time there's an ajax callback and the second user will never be able to login with those credentials. All in all, I feel I've got it locked down fairly tight and although there might be other ways to accomplish what I'm trying to do I'm happy with what I have.

              Comment

                #22
                Re: Prevent multiple logins and limit max users

                I've received a few requests asking to post some of the code but most of it is very straightforward and I'm sure most of you know what you're doing so I'm just going to give an overview of the process and if anyone needs help with any particular piece then let me know and I'll post it. I did feel that 12 minutes was a little too quick for the session timeout so I've bumped it to 30 so it's less restrictive. Most of my clients keep a separate browser open to run my app anyway so it's not really an issue unless they have a power outage or something. I'm also displaying a session timeout warning on each page before the session expires with an extension option.

                1) I created a logged in user's table that stores the user ID, session ID, IP address, user agent and last activity timestamp. Much of this is just to help identify the source of a locked out user. Per someone's suggestion above, I'll probably add some of this info to the user list they already have access to.

                2) When the user attempts to login, I use the canAjaxCallback event to see if logging in is what they're trying to do and then run the validation tests. First I make sure the user ID is in the registered user table for all users so if they aren't I don't waste any more time. If it is a valid ID then I check if there's already a record in the logged in user table for that ID.

                3) If there is a record in the user table then I compare the current time to the last activity timestamp to see if their session has timed out. If it has then I allow them to continue on the the onLogin event for further processing. If it hasn't then I check to see if the session ID matches that in the logged in user table. If it does then I allow them to continue on to the onLogin event for further processing. If it doesn't (or doesn't exist) then I display a message with two options; a) go back and logout of the other session or, b) wait for the session to timeout where I'm showing them the minutes/seconds remaining.

                4) In the onLogin event, I determine if the login was successful and if so, I check again to see if they're already in the logged in user table to determine if I need to do a sql update or a sql insert. In other words, if it's a new user logging in then I insert a record into the logged in user table but if the user's session timed out then I simply update the last activity timestamp.

                5) While logged in, I have a reset timer function in the afterAjaxCallback events that updates the last activity timestamp whenever there's server activity. This does add a little overhead but I haven't noticed too much of a performance hit. If I do, then I'll look into implementing Redis or similar.

                Thanks again for everyone's input.

                Comment

                  #23
                  Re: Prevent multiple logins and limit max users

                  Ok, I did some googling to try and see how other folks do this too because I was also curious.

                  From what I read what about something like this?

                  > Each login to system log the userID, and IP Address.
                  > Each "proper" logout delete this record.

                  On each Login:
                  > Check to see if there is an active session in your log table by the users ip address and userID that matches the IP they have now.
                  > If TRUE don't do anything or maybe tell them "Hey next time logout properly and you won't get this annoying messagebox!"
                  > If FALSE prompt user and say hey you want to reconnect? If Yes update the record with this new IP.

                  On Each pages navigation:
                  > Check the userID and IP address of the session against your log table. If it is different log them out,reset session, and redirect them to the login screen.

                  This should work because you'll be updating the IP on login (Either a reconnect or a new session) and only checking on navigation.

                  An existing connected person will check against the existing records and be hit with a mismatch if someone logged in with their ID somewhere else while they were working away at this pc. They'll then get thrown back to login. Kind of like an Optimistic Concurrency check. You could even have it tell them the IP address of the other system that is using their ID now.

                  It might work. Haven't tested it myself.

                  Comment

                    #24
                    Re: Prevent multiple logins and limit max users

                    Per my last post, although I couldn't find one that couldn't be defeated, there are probably other ways to accomplish the same task but my method works well and I'm happy with it. I will tell you that I've been down the IP address path and that definitely does not work. Whether you're using Request.GetHeader(“x-forwarded-for”) or Request.Remote_Addr to get the IP address, if the users are behind a firewall or proxy (and who isn't?) then all computers will return the same IP address.
                    Last edited by TheDuke; 02-16-2018, 07:00 PM.

                    Comment

                      #25
                      Re: Prevent multiple logins and limit max users

                      The truth is that today is important to hide the real IP. This is essential for servers and only way to avoid problems. If your domain name points to your servers real IP you are looking for troubles. For example there is no way you can protect your server from DDOS attack. If you face one it is too late to do anything with that IP. Only way to go on is to change server IP and hide it.

                      Comment

                      Previous 1 2 template Next
                      Working...
                      X