Open Closed

Prevent concurrent login in different browsers #6127


User avatar
0
Priyanka created

In my application, I'm doing external login (ADFS login), once it is success on ExternalLogincallback, I'm calling ExternalLoginSignInAsync as below

var result = await SignInManager.ExternalLoginSignInAsync( loginInfo.LoginProvider, userName, isPersistent: false, bypassTwoFactor: true );

once it is also successful, I'm calling below function

await SignInManager.SignInAsync(user, false);

but using these steps I'm not able to prevent concurrent login in two browsers, I have found the existing solution https://support.abp.io/QA/Questions/1023/How-to-prevent-ConCurrent-Users-from-logging-in-using-the-same-user-credentials

By following this I can add MyAbpClaimsPrincipalContributor and MyAbpClaimsService but I'm not sure, how I can implement in my application, could you please help me where can I use this in my application when I'm using ExternalLoginSignInAsync and SignInAsync.

ABP Framework version: v5.3.2

UI Type:React

Database System: EF Core (SQL Server)

Tiered (for MVC) or Auth Server Separated (for Angular): yes

Exception message and full stack trace:NA

Steps to reproduce the issue: Call ExternalLoginSignInAsync and SignInAsync


11 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    We have an example you can check: https://github.com/abpframework/abp-samples/tree/master/ConcurrentLogin

  • User Avatar
    0
    Priyanka created

    As per the sample code, I need to add like this

    user.SetProperty(ConcurrentLoginConsts.ConcurrentLoginToken, Guid.NewGuid().ToString("N")); await UserManager.UpdateAsync(user); return await base.PasswordSignInAsync(user, password, isPersistent, lockoutOnFailure);

    In sample code we are using PasswordSignInAsync, will it work with SignInAsync as well? or SignInWithClaimsAsync is required after adding this ?

    If I just add this code, will it be enough?

                  user.SetProperty("ConCurrentUserId", Guid.NewGuid().ToString("N"));
                    await UserManager.UpdateAsync(user);
                    await SignInManager.SignInAsync(user, false);
    
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    If I just add this code, will it be enough?

    It looks fine.

  • User Avatar
    0
    Priyanka created

    I tried this, but still, I'm able to do the login in two different browsers at the same time.

    What is the purpose for adding ConCurrentUserId property and how it will be useful? Also, on every login we need to assign same value for same user or different value?

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    What is the purpose for adding ConCurrentUserId property and how it will be useful

    It stores the currently loggedin concurrent ID and adds it to user claims.

    Check the concurrent ID in the middleware, logout if it is different.

    https://github.com/abpframework/abp-samples/blob/master/ConcurrentLogin/src/ConcurrentLogin.Web/ConcurrentLoginWebModule.cs#L264

  • User Avatar
    0
    Priyanka created

    What is the purpose for adding ConCurrentUserId property and how it will be useful

    It stores the currently loggedin concurrent ID and adds it to user claims.

    Check the concurrent ID in the middleware, logout if it is different.

    https://github.com/abpframework/abp-samples/blob/master/ConcurrentLogin/src/ConcurrentLogin.Web/ConcurrentLoginWebModule.cs#L264

    Thank you, this is working but it is not redirecting to login page for previous browser

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    Could you explain it in detail? thanks

  • User Avatar
    0
    Priyanka created

    Hi,

    Could you explain it in detail? thanks

    using this code, it is not redirecting to login page, I want if new session is active in new browser, then the previous browser's application should redirect to login page.

    if (httpContext.User.Identity != null && httpContext.User.Identity.AuthenticationType == "Identity.Application")
                        {
                            await httpContext.RequestServices.GetRequiredService<AbpSignInManager>().SignOutAsync();
                            await httpContext.ChallengeAsync("Identity.Application");
                        }
    
                        //JWT
                        if (httpContext.User.Identity != null && httpContext.User.Identity.AuthenticationType == "AuthenticationTypes.Federation")
                        {
                            await httpContext.ChallengeAsync(JwtBearerDefaults.AuthenticationScheme);
                        }
    
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    So, preventing concurrent logins from different browsers is working now but the previous browser did not redirect to the login page

    You can redirect:

    if (httpContext.User.Identity != null && httpContext.User.Identity.AuthenticationType == "Identity.Application")
    {
        await httpContext.RequestServices.GetRequiredService<AbpSignInManager>().SignOutAsync();
        //await httpContext.ChallengeAsync("Identity.Application");
        
        var redirectUrl = "...";
        httpContext.Response.Redirect(redirectUrl);
        return;
    }
    
  • User Avatar
    0
    Priyanka created

    Hi,

    So, preventing concurrent logins from different browsers is working now but the previous browser did not redirect to the login page

    You can redirect:

    if (httpContext.User.Identity != null && httpContext.User.Identity.AuthenticationType == "Identity.Application") 
    { 
        await httpContext.RequestServices.GetRequiredService<AbpSignInManager>().SignOutAsync(); 
        //await httpContext.ChallengeAsync("Identity.Application"); 
         
        var redirectUrl = "..."; 
        httpContext.Response.Redirect(redirectUrl); 
        return; 
    } 
    

    I tried this but it is stuck in infinite loop, it is redirecting to login and somehow it is coming again on this condition, condition is satisfied and redirecting again and this whole process is keep going.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    Could you share a test project with me? I will check it and try to help you, my email is shiwei.liang@volosoft.com

Made with ❤️ on ABP v9.1.0-preview. Updated on November 01, 2024, 05:35