Tips & Tricks: controlling access

by Giuseppe Lanzi on 03/06/2014

A relatively common requirement among people who develop online applications is the ability to control concurrent accesses. If your business revolves around a software product installed on your production server and user licenses that your customers purchase, you will probably need to answer the question, “how can I limit concurrent accesses to the application?”.

The first solution that comes to mind is to monitor the users who have logged in and limit the number of concurrent accesses, but this approach doesn’t work, because this control can be circumvented simply by always using the same user name. You need something that can’t be changed by the end user, and possibly, something that’s already available. A good idea could be to save the ID of the current session.

I made a little example project in which, to achieve the behavior I’m looking for, I used a Sessions table to save the data and the onBrowserMessage event in order to run the check. If there are other sessions for the username used to log in when the request is submitted, I display an error and close the application; otherwise, I enter/update the current one.

To see this behavior yourself, you can:

  • compile the example project;
  • enter the application as user test;
  • change browser, and try to log on, first as usertest and then as test2. The first time you’ll get an error message, but the second time you’ll log in successfully.

Once you’ve achieved this behavior, it’s relatively simple to extend it to implement more evolved functionalities, such as the maximum number of accesses per company, but I’ll leave this little exercise to you

Leave a Comment

Previous post:

Next post: