I have seen a fair amount of questions on Stackoverflow asking how to prevent users sharing their password. Previously with MembershipProvider framework it was not a simple task. People went into all sorts of crazy procedures. One of the most common was to have a static global list of logged-in users. And if a user already in that list, the system denied their second login. This worked to an extent, until you clean cookies in the browser and try to re-login.

Luckily now Asp.Net Identity framework provides a simple and clean way of preventing users sharing their details or logging-in twice from different computers.

2-Factor Authentication

One of the most simple ways to prevent password-sharing is make 2-factor authentication mandatory. Only login a person who have received a text message or email with authentication token. It is very unlikely that people will have access to the same mail-box or a mobile phone. So this usually solves the problem pretty well.

I believe there are many tutorials online, including guides from Microsoft. So I will not go into details of implementation.

Problem with this approach is an additional cost involved. Cost of implementation and a cost of SMS provider. And if you have enough users logging-in each day, this can be a pretty penny. So make sure the means are justified.
Another cost is usability – it is always an extra step I need to take when I login when 2FA is enabled on the service.
But consider an additional security measures added to the service. I always enable 2FA on services I rely on. And if 2FA is not available on service, most likely I’ll choose a service with 2FA available

So consider all your pros and cons.

Basic accounts.

A lot of the times 2FA is not available for different reasons. So we need to do something else. Identity framework has something called “Security Stamp” – this is a random string (usually a GUID) that is stored on user record. Idea behind this is to verify that user password have not been changed since the last login: value of security stamp is stored in authentication cookie and with configured interval the framework compares the value in the database to the one in the cookie. This is for the cases when people are logged in in multiple browsers/computers. And if they change a password, all those multiple sessions will be expired.

Now we can use that feature to achieve our goal of preventing multiple logins or password share. Now we need to implement that on every login the security stamp have been changed. So all logged-in sessions will think that the password have been changed and will log-out. The implementation is not very interesting, but a few details are important.

I’m working with default VS2013 MVC project template. If you are using something else – your code may vary, but the idea behind is the same.

You need to modify the login procedure and catch the moment when user have provided correct username and password, but before the cookie is set. And change the security stamp BEFORE user is signed-in. This part of code is usually defined in AccountController in Login action method:

[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<ActionResult> Login(LoginViewModel model, string returnUrl)
{
    if (!ModelState.IsValid)
    {
        return View(model);
    }


    // check if username/password pair match.
    var loggedinUser = await UserManager.FindAsync(model.Email, model.Password);
    if (loggedinUser != null)
    {
        // Now user have entered correct username and password.
        // Time to change the security stamp
        await UserManager.UpdateSecurityStampAsync(loggedinUser.Id);
    }

    // do sign-in AFTER we have done the update of the security stamp, so the new stamp goes into the cookie
    var result = await SignInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, shouldLockout: false);
    switch (result)
    {
        // do the rest of method

Now there are a few places where user can be logged-in. Look for usages of SignInManager and put code that updates the security stamp before user is signed-in. I would even go further – extend the sign-in manager and override SignInAsync method – do security stamp update there. But this is up to you how to implement.

Next step is to make sure the framework actually compares the security stamps from the authentication cookie with the value in the database. This is pretty easy, there is already a functionality that does it for you, we only need to tweak it slightly.

Go to App_Start\Startup.Auth.cs, you should fine there a part of code that defines cookie authentication and looks like this: app.UseCookieAuthentication(new CookieAuthenticationOptions.......... There is a definition for Provider:

    Provider = new CookieAuthenticationProvider
    {
        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
            validateInterval: TimeSpan.FromMinutes(0), // <-- Note the timer is set for zero
            regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
    }

Note that validateInterval have been set to zero. By default it is 30 minutes, but you need to make this interval small. Effectively this tells the framework to compare security stamps on every request from a user. If you have a large number of users and an extra call to the database is becoming a performance drag, increase the validation interval to a few minutes.

The full cookie configuration should look like this:

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("/Account/Login"),
    Provider = new CookieAuthenticationProvider
    {
        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
            validateInterval: TimeSpan.FromMinutes(0), // <-- Note the timer is set for zero
            regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
    }
    // other settings
});     

Make sure you have defined AuthenticationType, otherwise the system won’t login users at all – the authentication cookie will not be set without this value.

The whole prevention of password sharing scenario will look like this: User A shares a password with User B. User A logs in, then User B logs in, thus making session of User A expired. User A logs in again and makes session of User B expired. They play this game for a while until they realise they need 2 accounts to use your system and should not share passwords.

This post have been inspired by this QA on Stackoverflow and the topic starter have provided a full source-code of solution on Github

  • Thank you for sharing your knowledge.

  • Al

    How it applies in web forms?

    • If you are using Identity, then just the same as in MVC.

      • Al

        In web forms part of ‘ AccountController ‘ where would be.

        ‘ App_Start Startup.Auth.cs ‘ if I have

  • Arturo Ribes

    Can’t they share the cookie though? How easy would that be? In affirmative case, how could that be prevented?

    • Well, yes. If somebody logs in and then cookie value is stolen, copied to another browser – another browser can login.

      • Arturo Ribes

        I see. I ask it because in case of a paid service (SaaS), my customers pay for a single-user account, and I don’t want them to use it in multiple computers (multiple employees or friends sharing the same licence/user account). So the method explained in this page is the only way I can think of preventing this.

        • This solution is not hacker-proof, but discourages such behaviour you describe.

  • Upinder Dhami

    logout stopped working after implementing this solution. It is not logging out the user.

    • Show me the code for logging-out