Open Closed

How to disable concurrent login with OpenIdDict? #7794


User avatar
0
nhontran created
  • ABP Framework version: v8.0.2
  • UI Type: Angular
  • Database System: EF Core (SQL Server)
  • Auth Server Separated (for Angular): yes

I would like to implement a feature to disable concurrent user logins in our application to enhance security.

Requirements:

  • When a user logs in, any active sessions of that user should be automatically logged out.
  • Only one active session per user should be allowed at any given time.

Most of the articles I found here is for Identity Server 4, I have migrated to OpenIdDict, is there a built-in feature for this?

Please provide guidance on how to configure or extend the ABP framework to achieve this behavior.

Thank you.


12 Answer(s)
  • User Avatar
    1
    maliming created
    Support Team Fullstack Developer

    hi

    We have the session management feature.

    https://abp.io/docs/latest/modules/identity/session-management https://abp.io/docs/latest/modules/account/session-management

  • User Avatar
    0
    nhontran created

    Hi @maliming, this feature does not seem to work. After selecting the "LogoutFromAllDevices" option. I logged in on a new device, and observed that in the AbpSessions table, the old session was deleted and the new session has been created. However, the web application (I am using Angular) did not log me out on the old device.

    Am I missing something? Could you help me resolve this?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    This feature depends on the Dynamic Claims feature of the ABP framework. https://abp.io/docs/latest/framework/fundamentals/dynamic-claims?_redirected=B8ABF606AA1BDF5C629883DF1061649A

    Have you enabled it?

  • User Avatar
    0
    nhontran created

    Hi @maliming, Yes, I have enabled the feature. Could you let me know when this feature was officially released?

    I created a new project using version 8.0.2, but noticed that the feature is not available. Interestingly, my older project, also on version 8.0.2, includes it. I'm not sure why there's this discrepancy.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    The session management feature was added after 8.2

    So you need to use abp 8.2+ and enable dynamic claims as well.

  • User Avatar
    0
    nhontran created

    noted. Let me upgrade it to 8.2.0.

    Thank you

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi nhontran

    You can create an 8.2+ template project to test this first.

    Thanks

  • User Avatar
    0
    nhontran created

    Hi @maliming,

    Yes, I just created a new project version 8.2.0 and it works.

    However, when I tried to upgrade our existing solution by running "abp update -v 8.0.2", my Angular and .NET projects did not receive any updates. All the DLLs remain at version 8.0.2.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You can try to update the packages manually.

    packages.json and all csproj files.

  • User Avatar
    0
    nhontran created

    Hi @maliming, I manually updated it and now encountered this error in Auth Server:

  • User Avatar
    0
    nhontran created

    Hi, please ignore it. I have fixed it by updating the Theme LeptonX version as well:

    <PackageReference Include="Volo.Abp.AspNetCore.Mvc.UI.Theme.LeptonX" Version="3.2.0" />

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    Great. : )

Made with ❤️ on ABP v9.1.0-preview. Updated on December 13, 2024, 06:09