[dba-VB] ASP.NEt 2.0: Forms Authentication: how to preventusingthe same login *second* time from another PC when thisloginis in use in active session?

Shamil Salakhetdinov shamil at users.mns.ru
Tue Dec 18 03:03:18 CST 2007


Yes, William, the article you refer is the closest to what I'm hunting
for...

(BTW, what Google(?) search criteria did you use to find it - I missed it
when looking for such information in Google)

Yes, this is the closest to what I'm looking for but still it isn't what I
need I think (but it looks like there is no other more close solution)...

In fact I planned to implement something like proposed by this article but
still at least one(?) problem exists with this solution:

- if a user will close the browser and then immediately will try to login
using the same FormsAuthentication credentials then he will be "kicked-out"
every time until Cache object simulating Session_End expires...

That's not a big issue(?) - a user will have to wait between 15 and 30
minutes to login again - usual session time-out...

But I anticipate "angry users" calls if that solution implemented...

I can try to use an IP of a user trying to login and compare it with IP
stored with the info on cached login, which isn't yet expired - and if it's
not then I can use SetAuthCookie (using session cookie stored in my session
object to "catch" live session) but then here is another "use case": user
has a couple of PCs on his desktop, he closes browser on one of them and
thus leave his session active on server side until time out happens, and
then this user tries to login using the same credentials from another PC but
he will be "kicked out" because there is no expired session information
simulated in custom Cache object, which will be there until this Cache
object expires...

Sorry for such a "hectic" e-mail but it looks like (and the article you
referred approves(?) that) - it looks like this simple(?) issue doesn't have
a satisfactory solution covering all of/most of the possible use cases...

Going circles here...

--
Shamil
 
-----Original Message-----
From: dba-vb-bounces at databaseadvisors.com
[mailto:dba-vb-bounces at databaseadvisors.com] On Behalf Of William Hindman
Sent: Tuesday, December 18, 2007 11:24 AM
To: dba-vb at databaseadvisors.com
Subject: Re: [dba-VB] ASP.NEt 2.0: Forms Authentication: how to
preventusingthe same login *second* time from another PC when thisloginis in
use in active session?

http://www.eggheadcafe.com/articles/20030418.asp
...maybe this is closer to what you are after.

William

----- Original Message ----- 
From: "Shamil Salakhetdinov" <shamil at users.mns.ru>
To: "'Access-D - VB'" <dba-vb at databaseadvisors.com>
Sent: Monday, December 17, 2007 4:41 PM
Subject: [dba-VB] ASP.NEt 2.0: Forms Authentication: how to prevent usingthe

same login *second* time from another PC when this loginis in use in active 
session?


Hi All,

I can't find answer/solution for the subject question:

- isn't it built-in in ASP.NET 2.0 Forms Authentication?
- Am I missing its description somewhere in MSDN or on Web?

Here is the issue I wanted to solve:

- Forms Authentication is used for and ASP.Net application;
- there are two (or more) test PCs;
- there are two (or more) testers using these PCs;
- these two (or more) testers have a set of shared test login/passwords
pairs;
- when a certain login/password is used by one tester then ASP.NET
application shouldn't allow to use it again from another test PC (or from
the same test PC but in another browser instance);
- on the other hand if the session where a certain login used expires then
obviously this login could be used on the second PC etc....

I'm looking and I can't find something like a simple function, which I
expected should have been built-in in ASP.NET Forms Authentication
(System.Web.Security.FormsAuthentication class or related classes)

1. DoesGivenLoginHasAnActiveSessionRunning(<loginName>)
...

ASP.ET does gave an event which fires when Session expires - this is
[Global.asax].Session_End(...) but it fires on time-out only, which is
usually about 20 minutes...

Now imagine that a certain login was used, and the browser in which this
login was used exited but ASP.NET application on server "doesn't know" yet
that the browser exited and this ASP.NET application has to keep continues
to keep application state related to login and until Session_End(...) fires
this state will be kept, and ASP.Net application will not let to login using
the same login, which actually has a "dead session" hanging on server...

I can implement "session hijacking & killing" IOW when the same
login/password is used while there is a live session running on server side
then this second login "kills" first session. That solution looks rather
simple to implement but is that the only option?

Am I missing simple solution of the subject issue?

Thank you.

--
Shamil



_______________________________________________
dba-VB mailing list
dba-VB at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-vb
http://www.databaseadvisors.com


_______________________________________________
dba-VB mailing list
dba-VB at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-vb
http://www.databaseadvisors.com




More information about the dba-VB mailing list