Serenity: Limit user to single access and data modification concurrency

I would personnally implement this using database as it's the main shared ressource.

Yes, a flag in database I think.
I wanted to know if there is already a system in serenity for not have to reinvent the wheel.

There's nothing I've seen out of the box (yet). This _can_ get complex quickly and can sometimes lock out users unintentionally. i.e. when a user doesn't log out, but just closes the browser. SignalR might help with real-time checking. I'd like to know what you find though!

If you are working with Oracle, the way i used to implement this is to check v$session view to identify if a user is already connected to the database (where TYPE='USER').

select * from v$session where type='USER'

Thanks @edwardch and @kilroyFR
I try to implement my own and share if I have success.
For now I find this article https://docs.microsoft.com/en-us/sql/relational-databases/triggers/logon-triggers
Keep this open for update and advice

You shouldn't try to implement this on sql side, your user doesn't access SQL with a specific user.

Thanks @volkanceylan
Can I try to implement with a flag in user table?
I can try using https://msdn.microsoft.com/en-us/library/ms178583.aspx

Hi @Estrusco,

yes you can - but as @edwardch says - this can get complex.

For example: How do you make sure that the user can again log in when he/she just closed the browser instead of properly log out? (how do you reset the user flag in that case in order that he/she can log in again immediately?)

As Edwardch says: You possibly can track an open/closed browser session with SignalR / web sockets in real time.

Good luck - and if you have a stable working Version - please share :-)

With Kind regards,

John

I'd rather use Redis or some distributed cache for that, but if you only have one server, e.g. not webfarm, in memory cache would do fine as well. Keep an OnlineUntil field, and when user logins / does some action e.g. by adding some code in global.asax RequestStart, update that value to 5 mins later, in SQL / redis / memory cache.

When user properly logs out, clear OnlineUntil for that user, if it doesn't you shouldn't let him login 5 mins, or if you need to let him in but sign other one out, thats another story, and not trivial.

@Estrusco I believe that there are some searched that may help you:

• https://stackoverflow.com/questions/24286489/how-do-i-forcefully-propagate-role-changes-to-users-with-asp-net-identity-2-0-1

• https://stackoverflow.com/questions/15903574/when-the-same-user-id-is-trying-to-log-in-on-multiple-devices-how-do-i-kill-the

Thank you guys! I take a look and when I will have update I will post here.

Hi guys!

With explanation in the link suggested by @brunobola https://stackoverflow.com/questions/15903574/when-the-same-user-id-is-trying-to-log-in-on-multiple-devices-how-do-i-kill-the and with this link discovered by me https://www.codeproject.com/Articles/1095295/Check-Session-Timeout-by-Using-ActionFilters-in-MV

I have started to implement user access limitation.
With this implementation when an user 'Test' login from a location, a record is inserted in table LoginsLimit. When the same user access 'Test' from another location, the firt one si logged out.

With the use of Action Filters is simple add this behavior in all action method or controller.

You can see temporary complete code at https://github.com/Estrusco/LimitUserAccess/tree/master

In AccountPage.cs there are modify in Login (post) and Signout method.
In DashboardPage.cs there is LoginLimit attribuite for test.
In folder LoginLimit are code files.

Now, there are some issue:

• in AccountPage.cs, after WebSecurityHelper.Authenticate, the Authorization.UserDefinition in some case is null and I get an exception. After page refresh all works. I don't understand why... it's to investagate (resolved using Username instead UserId and then avoid using of Authorization.UserDefinition in login).
• before force the logout of prev user, would be nice to send an alert message to user. (ok, added)
• also it could be possible to change behavior and deny the access to last user. For this we have to intercept the browser close without logout....
• add clean logic in login for records that match username but are logged off (ok, added)

@volkanceylan have you time to take a look a this implementation? What do you think about this?

I didn't have a project that needs this yet, so didn't have a look, but Serenity auth is based purely on MVC forms auth so any method you find for another project should apply to Serenity as well

OK thanks. I keep https://github.com/Estrusco/LimitUserAccess/tree/master repository updated, if anyone want to see the code.

👍

Hi! @Estrusco "Also, is there a system for concurrency check in dialog data modification?" Did you solve this issue?

@Zahar661 you can see this wiki entry https://github.com/volkanceylan/Serenity/wiki/Database:-Optimistic-locking-support-for-MS-SQL-Server-by-hannesb