Prevent Multiple Login Using the Same User Name and Password

How to prevent multiple logins from same user?

Take a look at this it protect you from Cross-Site Request Forgery and you can check if user had logged in.
Try: save csrf token to db, then check if users token same that in db...
If not: unset cookie and session for this user and return him to Sign In page;
If yes: do your stuff

How to prevent multiple logins using same username?

If you give every user their own database role, Postgres can handle this for you (along with the rest of the authentication process):


This has a number of other benefits, like fine-grained access control via grants and row-level policies, and access to a much wider range of authentication methods.

If this isn't an option, the simplest approach is probably to acquire a session-level advisory lock on login, i.e.:

SELECT pg_try_advisory_lock(<userid>)

This will return true if you have successfully acquired the lock, or false if the lock for that userid is already held by someone else. Once acquired, the lock will be held for the rest of your session, and will be automatically released on disconnect.

Keep in mind that you're just locking an arbitrary number, so you need to be sure that no other process is locking the same number for an unrelated reason. A common way of managing this is to call the two-argument version of pg_try_advisory_lock(), and scope the lock to your users table by passing in the table's internal identifier:

SELECT pg_try_advisory_lock('users'::regclass::int, <userid>)

How to prevent multiple login from single user name

The type attribute needs to include the namespace:

<add name="SingleSessionEnforcement" type="Demo1.SingleSessionEnforcement" />

In site how to prevent multiple logins of same user id?

There could be several possibilities. A quick response is:

  1. Maintain a flag in database; upon every login/out update the flag. For instance, upon every authentication request you can reject the login request if the flag is already true.

  2. Alternatively, you can maintain a list of users in the Application object and use .Contains to see if it already exists.


Lets try the database flag option; and assume that you have a method called StillLoggedIn(User) that updates the date/time and flag.

So, when user logs in:

  1. The app is going to authenticate the user and set flag=1, and mark a date/time stamp.
  2. For subsequent requests, the app would call StillLoggedIn(User);

  3. Prepare a windows service that would browse the database from time to time(lets say after 5 minutes if you have 10000 users). The service would compare the database date/time with the current date/time and mark the flag as 0 if the currentTime minus lastUsedTime is greater than, lets say, 5 minutes.

It could be anything besides a database and windows service.

Related Topics

Leave a reply