- ABP Framework version: v6.0.2
- UI type: Angular
- DB provider: EF Core
- Tiered (MVC) or Identity Server Separated (Angular): no
- Exception message and stack trace: -
- Steps to reproduce the issue:"
Hello!
We are trying to prevent users logging in from different computers with the same account. You have provided a sample project (1), but it is implemented with Identity Server and MVC (2).
We have tried to adjust it to our needs (OpenIddict + Angular). Currently, we can detect when a second client logs in with the same account using a claim. Unfortunately, we could not manage to successfully log out the previously logged in user and redirect the application to the login page. At this point, we are stuck at getting a 403 response.
We have created a sample project using ABP Suite with all the default options. This project has the same structure as our main project and can be used as a minimal reproducible example. Could you give us some directions to make this work the right way? Our efforts can be seen in the commit (4). If needed, we can give you contributor privileges to the repository.
Thanks!
5 Answer(s)
-
0
Hi @burkay,
ABP Commercial doesn't have a feature to prevent concurrent login. If your application requires it, you should implement it yourself. If you have any trouble because of ABP, or you want to get advice how to do a specific thing in ABP, we help you, but we can't fully implement a feature that is needed for you. I agree that this can be a good feature for ABP Commercial, but currently it is not included, sorry.
Beside my response, I personally can give you a few suggestions that may help you on your implementation. For an example implementation, you can go like that:
- When use logins, you can create a claim in the authentication ticket that has a random GUID value. Also add the same GUID value to distributed cache with the user's id as key. Keep cache time as long as needed.
- You can write an asp.net core middleware that gets the claim's value and compare it with the cached value. If there is no value in the cache (it might be expired), you can write that value to cache. If there is a cached value, and it is the same value, you allow to continue. Otherwise (if the values are different), just return an unauthorized response to the user. Instead of a middleware, I believe that can be achieved by writing some interceptor or validator for asp.net core authentication. You should research that.
I suppose you can also find some solutions on web since your requirement is a common requirement. As I said, we will consider to implement it in ABP Commercial's standard.
-
0
Hello again,
I guess there is a misunderstanding. We did not want you to implement anything for us. There are similar questions like [1], [2]. The usual flow we observed is that: customer asks a question, you ask for clarification, customer elaborates, you ask for sample code, customer gives sample code, you guide them through code. We just wanted to cut that piggy back by supplying a repo with minimal changes only related to the feature we are asking for. We tried explaining what we want and where we failed clearly. We were just expecting some guidance like you yourself requested your colleague and he did so for the issue at [3]. Since we could not get anything new for this question, would you consider amending our question token back?
Anyway, meanwhile we managed to get this working. We updated the repo at [4] in case someone else needs it, too.
- https://support.abp.io/QA/Questions/3047/Disable-concurrent-user-login
- https://support.abp.io/QA/Questions/950/How-to-allow-one-user-concurrent-login-per-user
- https://github.com/aspnetboilerplate/aspnetboilerplate/issues/4821
- https://github.com/kkeld/Nova
-
0
Hi again,
Can you please delete your repository from GitHub ( https://github.com/kkeld/Nova ). Because this is an ABP Commercial solution and it is illegal to share it with anyone else, especially with public community.
I am glad that you have made it working in your side. I also see there is a misunderstanding. My first paragraph was a general response to customers who are asking us to help for implementing their own business or non-business application requirements. For such cases, we can just try to lead with a few sentences, as I did in the remaining part of my response for your question.
Since we could not get anything new for this question, would you consider amending our question token back?
No, unfortunutaly. It would be only possible if you could give back my time to try to understand your question and write my answer. Even if our answer doesn't include a directly useful information for you, it gets our time and it is a part of regular support process. We give the question token back only if there is a bug in ABP and your project doesn't work because of that bug. In this case, to be fair, we give your question token back, since we see it is our fault.
-
0
Hello,
I see your points, fair enough. For future-this-feature-seekers, we will create a new solution with community edition, apply our solution and push it to a new repo at https://github.com/kkeld/CommunityNova . Deleted the repo, closed the question.
Best.
-
0
Thanks for deleting the repository. Best regards.
