Prevent multiple user logging into the same domain using the same browser

Question

So its a ASP.NET problem where two users using the same machine, same browser.

1. User 1 logs in the domain.
2. User 1 changes some data without saving it.
3. User 2 logs in the domain in a separate tab.
4. User 1 switches back to his tab and saves the data.
5. User 1 actually saved the data into User 2!!

This is caused by the following mechanism:

1. Different tabs in the same browser seems to share the same session id.
2. We are storing user auth in cookie and the cookie is shared between tabs (same domain)

Therefore, when User 1 request to save, it is recognized as User 2 since the cookie has been updated to User 2.

So I'm wondering if there's any other methods to prevent this from happening, other than: 1. Use cookieless session so the session is embedded in uri. 2. Always include a hidden field in page to indicate which user owns the page.

Regards,

Answer 1

You could add some fields in the database to track that the user is logged in, and grab their IP address, and restrict access that way.

Answer 2

IE8 has a "New Session" command in the file menu that opens a new window, but that's pretty much like using 2 different browsers.

Hiding the login form until the current user is logged out will raise awareness that another user is logged in but won't prevent the above scenario. If the logout process could refresh each page in the browser on the domain then it might work, although user1 would loose all modified data.

Answer 3

I used the trick of opening a new window with a specific name and always make sure that any page will open always use that window.