Identityserver4: Allow only one concurrent active session for user per application (client)

Created on 23 Jan 2017 · 10Comments · Source: IdentityServer/IdentityServer4

I am using IdentityServer 4, ASP.NET Core Identity, Implicit flow (Javascript client).

I have requirement from business that user should be allowed to be logged in to one application (client) from only one browser at a time. When user logs in then server should check his current active sessions to the same application from other browsers. If there is then log out from everywhere else and keep only newest session.

Is it possible to configure IdentityServer this way?

question

Source

raigol

👍1

Most helpful comment

@WalissonPires

have backchannel logout implemented in your identity server setup and all your clients
when a user logs in via your identity server app, retrieve the previous IS session id, which you have persisted somewhere before
if the user is not allowed to have multiple sessions, create and send logout tokens to all your clients (see https://github.com/IdentityServer/IdentityServer4/blob/dev/src/Infrastructure/BackChannelLogoutClient.cs for coding hints)
sign in the user and persist the new IS session id (IUserSession.GetSessionIdAsync) for use in step 2

EdwinHauspie on 23 Aug 2018

👍6 👎1

All 10 comments

This is out of scope for IdentityServer - you'd need to write your own logic by adding some code at login/logout time.

leastprivilege on 5 Feb 2017

Closing for now - feel free to re-open if it needs further discussion.

leastprivilege on 5 Feb 2017

does any one implemented this? can't find much information about this anywhere, may be worth an example or documentation on this per client base/IDM. as the PCI rules enforcing this policy to adhere strictly, eventually majority of the applications would require this to be implemented.

Janidbest on 29 Aug 2017

In a restful world this is a challenge. There is only one place to control access, and that is at the resource server. Often that is also the client, but it could be any server on the net. It is at that point that the exclusion needs to be applied.

If the client and the resource server are not on the same box, then the client could help by creating a test for two signins by the same user. It also has the unique ability to detect that even if the user (as known by the client) has signins from multiple IdP.

As a general rule, however, proving a negative is never certain.

TomCJones on 29 Aug 2017

I have implemented this.
When a user logs in, the session id (IUserSession.GetSessionIdAsync) is manually stored in our database. The previous value of this database field is used to create a logout_token which I send to my clients. You can have look at IdentityServer4.Infrastructure.BackChannelLogoutClient to figure out how to create the token and post.
All this assumes you have backchannel logout implemented ofcourse.

EdwinHauspie on 25 Apr 2018

👍2

@EdwinHauspie Could you give me details on how you did this implementation? I have the same need and I'm lost in it. :s

WalissonPires on 22 Aug 2018

@WalissonPires

have backchannel logout implemented in your identity server setup and all your clients
when a user logs in via your identity server app, retrieve the previous IS session id, which you have persisted somewhere before
if the user is not allowed to have multiple sessions, create and send logout tokens to all your clients (see https://github.com/IdentityServer/IdentityServer4/blob/dev/src/Infrastructure/BackChannelLogoutClient.cs for coding hints)
sign in the user and persist the new IS session id (IUserSession.GetSessionIdAsync) for use in step 2

EdwinHauspie on 23 Aug 2018

👍6 👎1

@EdwinHauspie Thank you for the clarification. I'll follow in your footsteps.

WalissonPires on 23 Aug 2018

it awesome! i will follow your footsteps too @EdwinHauspie , tku!