How to prevent a user from having multiple instances of the Same Web application

Question

I\'m wondering if it is possible to determine if a user already has a web browser open to the web application I\'m working on. It seems that they can open several instances

Answer 1

I use the trick of opening a new window with a specific ID and always make sure that any page will open always use that window.

The down side, they must have their popup blocker turned off for you site. It works well for company sites.

if (useOwnWindow && window.name != 'YourAPP'){
    var w = window.open(document.location, 'YourAPP', 'toolbar=no,status=yes,resizable=yes,scrollbars=yes');
    if (w==null){
        alert("Please turn off your pop-up blocker");
    }else{
        window.open('','_parent','');
        self.opener="";
        self.close();
    }
 }

Note the useOwnWindow flag if used by developers so we can open it multiple times

Answer 2

You can do this by window.name. In java script window.name has blank value on each new tab. Set window.name value on login page and save in session.

window.name = Math.random() + "_YourApplication"

Now check this window.name on master page/Layout page. Log out user if it contain multiple tab.

 if (!window.name || window.name != '@Session["WindowName"]') {
    //Log Off code
 }

Answer 3

All you have to do is assign a value both to a Hidden Input control's value and to a session variable in the Page Load event and on postback, check the value of the local variable against the value in the session variable. If the values do not match, you can redirect the user to the login page or a page that tells them that the session for that page is no longer valid etc.

Example:

Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
    Try
        If Not IsPostBack Then
            'SET LOCAL VARIABLE AND SESSION VARIABLE TO A UNIQUE VALUE
            'IF THE USER HAS CHANGED TABS THIS WILL CHANGE THE VALUE OF THE SESSION VARIABLE
            Me.HiddenInput.value = New Guid().ToString
            Me.Session.Add("PageGuid", Me.HiddenInput.value)

        Else 
            'ON POSTBACK, CHECK TO SEE IF THE USER HAS OPENED A NEW TAB
            'BY COMPARING THE VALUE OF THE LOCAL VALUE TO THE VALUE OF THE SESSION VARIABLE

            If me.HiddenInput.value <> CType(Session("PageGuid"), String) Then

                'THE VALUES DO NOT MATCH, MEANING THE USER OPENED A NEW TAB.
                'REDIRECT THE USER SOMEWHERE HARMLESS

                Response.Redirect("~/Home.aspx")

            Else

                'THE VALUES MATCH, MEANING THE USER HAS NOT OPENED A NEW TAB
                'PERFORM NORMAL POSTBACK ACTIONS

                ...

            End If
        End If
    Catch ex As Exception
        Me.Session.Add("ErrorMessage", BusinessLogic.GetErrorMessage(ex))
        Me.Response.Redirect("~/ErrorPage.aspx", False)
    End Try
End Sub

Answer 4

Firstly, no there isn't, and secondly, you shouldn't try.

The pop-up window strategy won't work (and will annoy users). I have my browser set to 'Open windows as Tabs', and I choose whether to split one off into another window. Or in some cases, whether to run a different browser -- not just another instance of the same one -- to display another page on the same site.

Conversely, the mini-session ID will fail because the server can't keep track of whether a request is from the same user as an existing session. Several people may be using the same machine, even with the same username; or one person may have several separate login sessions, on one or several machines.

Just sort out your protocol vs. 'Session' variables and make sure that the last committed changes are the ones that persist.

Answer 5

I would suggest you hash the ViewState for the page and store it in a session variable before it is returned as the Response.

Then for a Request first check the hash of the returned ViewState against the one you have in the session variable and if they don't match don't process any changes on the page and display a notice to your user or redirect them to an error page.

The two methods of the Page class you will want to override are;

protected override object LoadPageStateFromPersistenceMedium()

protected override void SavePageStateToPersistenceMedium(object viewState)

Answer 6

You could assign a 'mini-session' ID to each instance of the input form, then use AJAX to ping the server with that ID. If the user tries to request the same form when there's an active ID, it should display an error message. If the server doesn't hear the ping for a certain amount of time, expire the mini-session. (This is basically a very simple locking strategy)