views:

147

answers:

4

In our system one client may have multiple operators. However there is a "wish" from client. One company has an account, however there can be mulitple operators assigned to this company. Client wants us to prepare a solution that only one operator from company can log in to the system at same time. How can I achieve this?

+1  A: 

You could use a database field to flag that they are logged in. Update the field to 'logged in' when they do so, and then update it to 'logged out' when they log out.

You'd also need to monitor login sessions for expiry to update the field if a user never bothered to explicitly logout.

Evernoob
yes..i wanted do do so, but how can i monitor login sessions?
niao
+1  A: 

Just by making sure they system has the ability to validate the login on each request. Either

  1. Actively (by querying state -- possibly a database to compare some secrets) or
  2. Passively -- using some form of cryptography and tokens (possibly in the cookie).

Option one is easiest, option 2 is fastest. If you validate on each request you can make sure that only one user remains logged in -- if another user signs in you can invalidate the existing active login -- perhaps with a cooldown period of n amount minutes.

You have to develop some form of login scheme -- kerberos is the defacto scheme -- read this easy to follow tutorial on kerberos Designing an Authentication System: a Dialogue in Four Scenes It should show you what you really need to do.

Hassan Syed
+1  A: 

The best approach I've used:

  1. Create a table used to track whether an operator is logged in (e.g. userid and last_accessed_dt)
  2. On each page request by the operator update the last requested date/time
  3. When an operator attempts to login they can only do so if the last requested data/time > timeout period of sessions on your website (E.g. 30 minutes) or if they are the Last Operator User ID ... this way they can quickly recover from a logoff etc.
  4. When an operator logs off have the Last Accessed cleared
  5. When the session times out have the Last Accessed cleared
Nissan Fan
I am using WPF application and the server is written in WCF, however this can be achieved. But what in situation when user has an application opened and was inactive for 30min?
niao
A: 

"I am using WPF application and the server is written in WCF, however this can be achieved. But what in situation when user has an application opened and was inactive for 30min?"

This system is going to be single-user, so I suggest you start a counter thread when a user logs in. When counter reaches 30 minutes, write a value to the db indicating that user has timed out and other users are free to login. Obviously, you should do the same thing when user explicitly logs out.

born to hula
a counter thread ? thats pretty wastefull, and **bad design**.... the timeout logic should be part of server logic, and NOT as a thread -- but as a data structure/table row that is checked on requests that need to be secured... If this was erlang and you created a counter thread .... that might be ok.
Hassan Syed
I missed your point..."but as a data structure/table row that is checked on requests that need to be secured"... sure, this is obvious, otherwise there would be no utility on writing a value to the db indicating that a user has timed out. But, in your opinion, what would be a good way of checking if the user has timed out? I couldn't think of another way, at least until now.
born to hula
Please read the article in my answer -- it will highlight various aspects of distributed authentication.
Hassan Syed
Thanks for the reference.
born to hula