6.11. Enforcing Single Logons and Logouts

A question that comes up from time to time is the desire to ensure the following behavior when users login with forms authentication:

  • Users should be allowed to login once, and only once. If they attempt to log in a second time in an application, the login should be rejected.

  • If users explicitly log out, the fact that they logged out should in some way be remembered to prevent replaying previous authentication tickets.

Both of these design questions highlight the fact that forms authentication is a lightweight mechanism for enforcing authentication. Forms authentication as a feature does not have any back-end data store. As a result there isn't an out-of-box solution that automatically keeps track of login sessions and subsequent logouts. However, with a little bit of coding, it is possible to deal with both scenarios in ASP.NET 2.0 and ASP.NET 3.5.

The solution outlined in this section relies on the Membership feature of ASP.NET 2.0 and ASP.NET 3.5. There is an extensive discussion of extending Membership in Chapters 11, 12 and 13. However, because this chapter deals with forms authentication, it makes more sense to show the Membership-based solution at this point rather than deferring it. Because Membership is designed to work hand-in-hand with forms authentication, it is a logical place to store "interesting" information about the logged-in or logged-out state of a user account. Of course, you could write your own database solution for ...

Get Professional ASP.NET 3.5 Security, Membership, and Role Management with C# and VB now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.