locked
Concurrent login in sharepoint RRS feed

  • Question

  • Can anyone help me in understanding if there is a waysharepoint 2013 to stop same user from logging in from various machines/browsers/mobiles?
    Tuesday, September 9, 2014 10:53 AM

Answers

  • Deleted
    Tuesday, September 9, 2014 6:01 PM
  • I agree with the proposed solution of using an HttpModule or HttpHandler. This is something we've done for a few clients myself, and even though it degrades performance in some cases it provided the required security essentials for our clients, as we were government-controlled to store certain information about each request that accessed certain resources of the portal. 

    There's plenty of information on how to build your own handlers/modules: 

    In the ProcessRequest method you can then change the logic to be applicable to your specific scenario. In our case we were logging certain requests to a SQL Server that were accesed from other security reporting systems and what not. 


    Tobias Zimmergren
    Microsoft MCP, MCTS, MCT, MVP (SharePoint)
    Blog: www.zimmergren.net
    Twitter: twitter.com/zimmergren
    Corporate site: www.tozit.com

    • Marked as answer by Patrick_Liang Friday, October 10, 2014 7:18 AM
    Friday, September 12, 2014 9:25 AM

All replies

  • I guess its IIS which handles the authentication for SharePoint, that does not have anything to support this by default so you would have to build something. The issue here is that what happens if the user does not sign out of the site, you would have to build some form of time out or you would end up with them being locked out of the site.

    Thanks Chris

    Tuesday, September 9, 2014 11:30 AM
  • Yes, can you please help me in giving me a direction as to what can be build to achieve this
    Tuesday, September 9, 2014 11:49 AM
  • Hi,

     Well you would have to check on each page load that the user was accessing the site from the same location (probably by saving the IP address in some sort of database table along with the accessing user and a time stamp).

     If the IP is different that the one currently saved in your database then you should redirect them to another page.

     Probably the best way to do this would be to have a delegate control running on the page which logs the database and redirects the user if required (obviously the page you redirect them to should not have the same issue).

     Maybe if the previous access was more than 20 minutes you should assume that the user has logged off and allow the new login.

     One thing that I have noticed is that the SharePoint 2013 "Sign out" does not work as expected (at least on my test site). i.e. if you press sign out you need to close the browser otherwise you can press back and access the site still.

     You would also need to override the sign out somehow to remove the IP address for that user in the database.

    Not something i would like to implement on a system. :P


    Thanks Chris

    Tuesday, September 9, 2014 2:09 PM
  • Deleted
    Tuesday, September 9, 2014 6:01 PM
  • You can look at implementing a custom HttpModule that would maintain the session/login information in a custom database and determine if the user is already signed in to the site. There would be a slight degradation in performance as this HttpModule gets called for every request.

    This post is my own opinion and does not necessarily reflect the opinion or view of Slalom.

    Defiantly ... that's the IIS way of doing it ;)

    Thanks Chris

    Tuesday, September 9, 2014 8:36 PM
  • I agree with the proposed solution of using an HttpModule or HttpHandler. This is something we've done for a few clients myself, and even though it degrades performance in some cases it provided the required security essentials for our clients, as we were government-controlled to store certain information about each request that accessed certain resources of the portal. 

    There's plenty of information on how to build your own handlers/modules: 

    In the ProcessRequest method you can then change the logic to be applicable to your specific scenario. In our case we were logging certain requests to a SQL Server that were accesed from other security reporting systems and what not. 


    Tobias Zimmergren
    Microsoft MCP, MCTS, MCT, MVP (SharePoint)
    Blog: www.zimmergren.net
    Twitter: twitter.com/zimmergren
    Corporate site: www.tozit.com

    • Marked as answer by Patrick_Liang Friday, October 10, 2014 7:18 AM
    Friday, September 12, 2014 9:25 AM