ASP.NET  

How to Prevent Session Overlapping in Browser Through New Tab or Window

Assume there is a web application with a login module and more than one user or multiple users enter into the system with their various sessions.  Here, I will explain this scenario with an example.

I have a table named "UserData" that stores valid user data.



Step 1

Create a website named "Test_Website".



Step 2

Add some controls to the default page "Default.aspx" for login.

  • 1 TextBox for user ID
  • 1 TextBox for password
  • 1 button for Submit
  • 1 label for messages.



Which will look like:


Step 3

Write the Submit Button code to:

  • Validate the User Credentials.
  • Fetch the valid credentials from the database.
  • Match the credentials with the supplied values.
  • If the user is valid then redirect to another page with user session.
  • Else, return to the invalid user with the proper message.

 

  1. protected void btnSubmit_Click(object sender, EventArgs e) {  
  2.     //Validations  
  3.     if (txtUserID.Text == "") {  
  4.         lblmsg.Text = "Fill the UserID";  
  5.         return;  
  6.     }  
  7.     if (txtpwd.Text == "") {  
  8.         lblmsg.Text = "Fill the Password";  
  9.         return;  
  10.     }  
  11.     //Get the pwd from the database and match it with filled password  
  12.     using(SqlConnection connection = new SqlConnection()) {  
  13.         connection.ConnectionString = ConfigurationManager.ConnectionStrings["constr"].ToString();  
  14.         connection.Open();  
  15.         SqlCommand cmd = new SqlCommand();  
  16.         cmd.Connection = connection;  
  17.         string commandText = "Select pwd from UserData where UserID='" + txtUserID.Text + "'";  
  18.         cmd.CommandText = commandText;  
  19.         cmd.CommandType = CommandType.Text;  
  20.         object pwd = cmd.ExecuteScalar();  
  21.         cmd.Dispose();  
  22.         connection.Close();  
  23.         // macth the both passwords   
  24.         if (pwd != null && pwd.ToString().ToLower().Equals(txtpwd.Text.ToLower())) {  
  25.             Session["UserID"] = txtUserID.Text;  
  26.             // redirect to Home page   
  27.             Response.Redirect("Home.aspx");  
  28.         } else {  
  29.             lblmsg.Text = "Invalid User";  
  30.             return;  
  31.         }  
  32.     }  
  33. }  

 Step 4

I will now create a new page "Home.aspx" to show the user ID of the current user.



Write the following code in the page load event of "home.aspx", that will show the user ID of the current user.

  1. protected void Page_Load(object sender, EventArgs e)   
  2. {  
  3.     if (Session["UserID"] == null)   
  4.     {  
  5.         //Go to error page  
  6.     }   
  7.     else   
  8.     {  
  9.   
  10.         Response.Write("Welcome " + Session["UserID"].ToString());  
  11.     }  
  12. }  

Run the Page

Here, I will run the page after filling in the invalid credentials.


It will give the message "Invalid user".


Assuming I run the page with valid credentials, then:



It will redirect the default page to the home page and show the name of the current user.


Problem: What will happen if I open the login page or default page in another tab/window of the same browser? Let us see what will happen after login with another valid user.



Now the new user is logged into the system on the same browser.


But what will happen if the first user named "rahul" that exists in the first tab refreshes the page?

As you can see, the user "deepak" is replaced with the user "rahul".

This happens in real scenarios, where a multiple user login exists and they do the same thing. The problem will be more dangerous if some activity happens within the database.

Solution: You need to check that the session already exists or not during login.

If the session exists, then return by giving a proper message to the user.

 

  1. protected void btnSubmit_Click(object sender, EventArgs e) { //Validations  
  2.     if (txtUserID.Text == "")   
  3.     {  
  4.         lblmsg.Text = "Fill the UserID";  
  5.         return;  
  6.     }  
  7.     if (txtpwd.Text == "") {  
  8.         lblmsg.Text = "Fill the Password";  
  9.         return;  
  10.     }  
  11.     if (Session["UserID"] == null//if session is alive  
  12.     {  
  13.         //Get the pwd from the database and match it with filled password  
  14.         using(SqlConnection connection = new SqlConnection()) {  
  15.             connection.ConnectionString = ConfigurationManager.ConnectionStrings["constr"].ToString();  
  16.             connection.Open();  
  17.             SqlCommand cmd = new SqlCommand();  
  18.             cmd.Connection = connection;  
  19.             string commandText = "Select pwd from UserData where UserID='" + txtUserID.Text + "'";  
  20.             cmd.CommandText = commandText;  
  21.             cmd.CommandType = CommandType.Text;  
  22.             object pwd = cmd.ExecuteScalar();  
  23.             cmd.Dispose();  
  24.             connection.Close();  
  25.             if (pwd != null && pwd.ToString().ToLower().Equals(txtpwd.Text.ToLower())) // macth the both passwords  
  26.             {  
  27.                 Session["UserID"] = txtUserID.Text;  
  28.                 // redirect to Home page   
  29.                 Response.Redirect("Home.aspx");  
  30.             } else {  
  31.                 lblmsg.Text = "Invalid User";  
  32.                 return;  
  33.             }  
  34.         }  
  35.     } else //if session is not alive  
  36.     {  
  37.         lblmsg.Text = "Another User is already logged In, kindly close the current session or use another browser";  
  38.         return;  
  39.     }  
  40. }

Let us say that user "deepak" is logged in, and now I will try to login with another user's credentials named "rahul".



As you can see above, the system or application will not allow the new user to login if another user is already signed in.

Conclusion: Now, you can prevent this session from overlapping, either from the new tab or the new window in the same browser.

Membership not found