How to prevent a user from having multiple instances of the Same Web application

Question

I\'m wondering if it is possible to determine if a user already has a web browser open to the web application I\'m working on. It seems that they can open several instances

Answer 1

You could check if a the user has more than one active session. This might work, but could be problematic since there's no good way to determine if a session is really active or not.

Answer 2

As others has mentioned, you can't prevent the user from starting a new session without resorting to ActiveX or other nastiness. The basic problem is that there is no way for you to know whether a user closed the old browser window or left it open.

What you can do however, is to invalidate the previous session as soon as the user logs into a new (A bit similar to how may Instant Messaging clients behave).

On each login, assign a new GUID to the user in your database. Also store this GUID in the session cache (No need to ship it back and forth to the pages, which won't work for GET requests anyway). On each page request, compare the GUID assigned to the user in the database with the GUID in the session cache. If they don't match, return a "You have logged in from somewhere else" response.

Update I was a bit too fast on the trigger. This doesn't prevent the scenario where the user opens multiple tabs/windows within the same browser process. So you would have to combine this solution with Dave Anderson suggestion for storing a ViewState hash (or simply a GUID) so that only the last served page in a session is allowed to post back.

Security Update Also, you can only rely on this framework as a convenience to the user since it's not secure. Any half decent hacker will be able to circumvent these measures.

Answer 3

I had the same problem and solved it using web sockets (I use pusher with php). When the user lands on the page I set a variable:

var firstTimeHere = true;

Then I made a websocket function in javascript that has the userid as part of the function's name like:

var pingUser123 = function(){...}; 

Then I use ajax to query the server where the php side of the websocket is triggered:

$this->trigger("pingUser123");

The websocket triggers all the javascript instances of that function in any number of windows across any number of browsers and machines. From there I can see if it's the first time this browser has been pinged. if so it's the only instance, if not there's a second one.

var pingUser123 = function(){
    if(firstTimeHere){
       firstTimeHere = false;
    }else{
        app.stop();
        alert("Only one window at a time please.");
    }
};

Answer 4

Is there a simple way to determine if they already have a browser window open to the web application and if so, just close the browser or display a different page to let them know they can only have 1 open at a time?

In short, No.
Without writing some kind of activeX control, there is no code you could write that could stop the user from opening a (seperate instance of) IE/FF etc and having one instance detect the other.