Recently, I have a requirement from user that they want to allow user account to login from only single computer at any time. In security terms, it is called 'Duplicate Authenication Checking'.
What I designed here is: if user login from first computer and then login again from second computer (or from different browser in first computer) using same account. The second login attempt will still be able to login but the first login will be signed out automatically.
Table of Contents
1 Database Design2 Login Process
3 Request Validation Process
4 Logout Process
Database Design
The token in database will be used for checking duplicate login. (I will describe more in the next section)
For best practice, you should not store clear-text password or token in database to prevent hacker hijack session or stole user password if he can access this table. You should store hash of it.
In C# language, you can compute hash using this code
The login process will start by checking username and password in database. If it is valid, the server will generate unique random string as token and store it in database.
In C# language, token can be generate using this code
After user successfully login, The request will valid if and only if session token is not empty and match with the database.
Here is a benefit of using token: if token exists but not match with database. it means that someone login from other computer which renew token in database. Thus, this session will be invalid.
You may wonder why I don't prefer process like: if user login on some computer. Then I should not allow any login attempt with the same account from any other computer until current user logout?
Here is the answer: I don't prefer process above because many user forget to logout, or experience accident that user cannot logout (Ex. computer power down, connection down, BSOD, .. etc.) Then, server will think that user is still login and not allow to login again anymore! So, to solve the problem, my design will allow user to re-login as many times as they want, but will make any previous login invalid.
In C# language, you can compute hash using this code
public static string GetStringSha256Hash(string text)
{
if (String.IsNullOrEmpty(text))
return String.Empty;
using (var sha = new System.Security.Cryptography.SHA256Managed())
{
byte[] textData = System.Text.Encoding.UTF8.GetBytes(text);
byte[] hash = sha.ComputeHash(textData);
return BitConverter.ToString(hash).Replace("-", String.Empty);
}
}
Login Process
The login process will start by checking username and password in database. If it is valid, the server will generate unique random string as token and store it in database.
In C# language, token can be generate using this code
string token = Convert.ToBase64String(Guid.NewGuid().ToByteArray());
Request Validation Process
After user successfully login, The request will valid if and only if session token is not empty and match with the database.
Here is a benefit of using token: if token exists but not match with database. it means that someone login from other computer which renew token in database. Thus, this session will be invalid.
You may wonder why I don't prefer process like: if user login on some computer. Then I should not allow any login attempt with the same account from any other computer until current user logout?
Here is the answer: I don't prefer process above because many user forget to logout, or experience accident that user cannot logout (Ex. computer power down, connection down, BSOD, .. etc.) Then, server will think that user is still login and not allow to login again anymore! So, to solve the problem, my design will allow user to re-login as many times as they want, but will make any previous login invalid.
Logout Process
The logout process is straight forward. I just delete token from database only if the token in database is match with the session token. I have to do this way because to prevent mistakenly deleting the token that user re-login.
Happy Coding!
No comments:
Post a Comment