Assume there is a web application with a login module and more than one user or multiple users enter into the system with their various sessions. Here, I will explain this scenario with an example.
I have a table named "UserData" that stores valid user data.
![]()
Step 1
Create a website named "Test_Website".
![]()
Step 2
Add some controls to the default page "Default.aspx" for login.
- 1 TextBox for user ID
- 1 TextBox for password
- 1 button for Submit
- 1 label for messages.
![]()
Which will look like:
![]()
Step 3
Write the Submit Button code to:
- Validate the User Credentials.
- Fetch the valid credentials from the database.
- Match the credentials with the supplied values.
- If the user is valid then redirect to another page with user session.
- Else, return to the invalid user with the proper message.
- protected void btnSubmit_Click(object sender, EventArgs e) {
-
- if (txtUserID.Text == "") {
- lblmsg.Text = "Fill the UserID";
- return;
- }
- if (txtpwd.Text == "") {
- lblmsg.Text = "Fill the Password";
- return;
- }
-
- using(SqlConnection connection = new SqlConnection()) {
- connection.ConnectionString = ConfigurationManager.ConnectionStrings["constr"].ToString();
- connection.Open();
- SqlCommand cmd = new SqlCommand();
- cmd.Connection = connection;
- string commandText = "Select pwd from UserData where UserID='" + txtUserID.Text + "'";
- cmd.CommandText = commandText;
- cmd.CommandType = CommandType.Text;
- object pwd = cmd.ExecuteScalar();
- cmd.Dispose();
- connection.Close();
-
- if (pwd != null && pwd.ToString().ToLower().Equals(txtpwd.Text.ToLower())) {
- Session["UserID"] = txtUserID.Text;
-
- Response.Redirect("Home.aspx");
- } else {
- lblmsg.Text = "Invalid User";
- return;
- }
- }
- }
Step 4
I will now create a new page "Home.aspx" to show the user ID of the current user.
![]()
Write the following code in the page load event of "home.aspx", that will show the user ID of the current user.
- protected void Page_Load(object sender, EventArgs e)
- {
- if (Session["UserID"] == null)
- {
-
- }
- else
- {
-
- Response.Write("Welcome " + Session["UserID"].ToString());
- }
- }
![]()
Run the Page
Here, I will run the page after filling in the invalid credentials.
![]()
It will give the message "Invalid user".
![]()
Assuming I run the page with valid credentials, then:
![]()
It will redirect the default page to the home page and show the name of the current user.
![]()
Problem: What will happen if I open the login page or default page in another tab/window of the same browser? Let us see what will happen after login with another valid user.
![]()
Now the new user is logged into the system on the same browser.
![]()
But what will happen if the first user named "rahul" that exists in the first tab refreshes the page?
![]()
As you can see, the user "deepak" is replaced with the user "rahul".
This happens in real scenarios, where a multiple user login exists and they do the same thing. The problem will be more dangerous if some activity happens within the database.
Solution: You need to check that the session already exists or not during login.
If the session exists, then return by giving a proper message to the user.
- protected void btnSubmit_Click(object sender, EventArgs e) {
- if (txtUserID.Text == "")
- {
- lblmsg.Text = "Fill the UserID";
- return;
- }
- if (txtpwd.Text == "") {
- lblmsg.Text = "Fill the Password";
- return;
- }
- if (Session["UserID"] == null)
- {
-
- using(SqlConnection connection = new SqlConnection()) {
- connection.ConnectionString = ConfigurationManager.ConnectionStrings["constr"].ToString();
- connection.Open();
- SqlCommand cmd = new SqlCommand();
- cmd.Connection = connection;
- string commandText = "Select pwd from UserData where UserID='" + txtUserID.Text + "'";
- cmd.CommandText = commandText;
- cmd.CommandType = CommandType.Text;
- object pwd = cmd.ExecuteScalar();
- cmd.Dispose();
- connection.Close();
- if (pwd != null && pwd.ToString().ToLower().Equals(txtpwd.Text.ToLower()))
- {
- Session["UserID"] = txtUserID.Text;
-
- Response.Redirect("Home.aspx");
- } else {
- lblmsg.Text = "Invalid User";
- return;
- }
- }
- } else
- {
- lblmsg.Text = "Another User is already logged In, kindly close the current session or use another browser";
- return;
- }
- }
Let us say that user "deepak" is logged in, and now I will try to login with another user's credentials named "rahul".
![]()
As you can see above, the system or application will not allow the new user to login if another user is already signed in.
Conclusion: Now, you can prevent this session from overlapping, either from the new tab or the new window in the same browser.