Please refer to:

When the same user ID is trying to log in on multiple devices, how do I kill the session on the other device?

Out of the box, .NET does not support this. .NET allows for concurrent log-ins, as I'm sure you're aware.

I had this same exact requirement, and came up with a pretty slick solution, demonstrated in the link above. In a nutshell, my requirement was to only have one user log-in happening at one time. If that same user ID tried to log in elsewhere, then it killed the session for the first log-in by checking for an existing log-in under a different Session ID (this enabled the user ID to be logged in from multiple instances of their web browser on their computer [same Session ID], which is common, but not from a different computer [different Session ID] (possibly due to someone that stole their credentials, for example)). Through modification of the code you could probably change the behavior of this - i.e., prevent the second log-in attempt instead of killing the first log-in that's already active and in use.

Of course, it may not fit 100% to what you're needing, so feel free to modify it to fit your needs.

Not ideal by all means, but add a SignInLockTime field alongside the login_status bit field and write the time of updating the login status while updating the login status. From there you can have an app-configured timeout, so if timeout time has passed since SignInLockTime you can auto-unlock.

The reason a visitor can log in from multiple locations at once is, because whenever they log in ASP.net assigns them the same authentication token. So, the authentication token in itself doesn't allow you to distinguish between the locations the user is logging in from.

There are probably many ways around this, but in principle all you need to do is store some identifying information in the user’s session state and check this on each request. E.g. When they log in, their IP address could be stored as session data. Then for every subsequent authenticated request, the IP the request comes from could be compared to the IP of the current one. If the two don’t match then log the user out.

Alternatively, if IP isn't a good enough identifier (e.g. if a user is logging in from behind a router multiple PCs will share IPs) then you can add some identifying information to the users authentication token at the point of login. Here is a tutorial on how to do that:

http://www.danharman.net/2011/07/07/storing-custom-data-in-forms-authentication-tickets/

Each time they login a unique GUID can be generated and stored both as session data and also as part of the authentication token. On each request you compare the two, logging the user out on a fail.

These are a couple of possibilities - I'm sure there are others.

An even better way may be to influence the asp.net authentication token itself when asp.net generates it to introduce some change, but I'm not sure this is possible.

Googling gave me nothing.

From your response to your question, it seems that what you actually want to do is to prevent users being logged in from two locations simultaneously... is that correct?

How about storing the session id against the user record in your database. When the user logs in, replace the session id in the database. On every authorization request, you then check the supplied session id with that stored against the user record - if it's different then they are logged in elsewhere, so redirect them to the login page again. This way, logins on other machines are possible but existing sessions on other machines will be invalidated as a result of the new login.

One simple (but not good ) option is to logout user on Session_End end event.. But i am not sure this is a good option to do..