Shamil Salakhetdinov
shamil at users.mns.ru
Tue Dec 18 03:03:18 CST 2007
Yes, William, the article you refer is the closest to what I'm hunting for... (BTW, what Google(?) search criteria did you use to find it - I missed it when looking for such information in Google) Yes, this is the closest to what I'm looking for but still it isn't what I need I think (but it looks like there is no other more close solution)... In fact I planned to implement something like proposed by this article but still at least one(?) problem exists with this solution: - if a user will close the browser and then immediately will try to login using the same FormsAuthentication credentials then he will be "kicked-out" every time until Cache object simulating Session_End expires... That's not a big issue(?) - a user will have to wait between 15 and 30 minutes to login again - usual session time-out... But I anticipate "angry users" calls if that solution implemented... I can try to use an IP of a user trying to login and compare it with IP stored with the info on cached login, which isn't yet expired - and if it's not then I can use SetAuthCookie (using session cookie stored in my session object to "catch" live session) but then here is another "use case": user has a couple of PCs on his desktop, he closes browser on one of them and thus leave his session active on server side until time out happens, and then this user tries to login using the same credentials from another PC but he will be "kicked out" because there is no expired session information simulated in custom Cache object, which will be there until this Cache object expires... Sorry for such a "hectic" e-mail but it looks like (and the article you referred approves(?) that) - it looks like this simple(?) issue doesn't have a satisfactory solution covering all of/most of the possible use cases... Going circles here... -- Shamil -----Original Message----- From: dba-vb-bounces at databaseadvisors.com [mailto:dba-vb-bounces at databaseadvisors.com] On Behalf Of William Hindman Sent: Tuesday, December 18, 2007 11:24 AM To: dba-vb at databaseadvisors.com Subject: Re: [dba-VB] ASP.NEt 2.0: Forms Authentication: how to preventusingthe same login *second* time from another PC when thisloginis in use in active session? http://www.eggheadcafe.com/articles/20030418.asp ...maybe this is closer to what you are after. William ----- Original Message ----- From: "Shamil Salakhetdinov" <shamil at users.mns.ru> To: "'Access-D - VB'" <dba-vb at databaseadvisors.com> Sent: Monday, December 17, 2007 4:41 PM Subject: [dba-VB] ASP.NEt 2.0: Forms Authentication: how to prevent usingthe same login *second* time from another PC when this loginis in use in active session? Hi All, I can't find answer/solution for the subject question: - isn't it built-in in ASP.NET 2.0 Forms Authentication? - Am I missing its description somewhere in MSDN or on Web? Here is the issue I wanted to solve: - Forms Authentication is used for and ASP.Net application; - there are two (or more) test PCs; - there are two (or more) testers using these PCs; - these two (or more) testers have a set of shared test login/passwords pairs; - when a certain login/password is used by one tester then ASP.NET application shouldn't allow to use it again from another test PC (or from the same test PC but in another browser instance); - on the other hand if the session where a certain login used expires then obviously this login could be used on the second PC etc.... I'm looking and I can't find something like a simple function, which I expected should have been built-in in ASP.NET Forms Authentication (System.Web.Security.FormsAuthentication class or related classes) 1. DoesGivenLoginHasAnActiveSessionRunning(<loginName>) ... ASP.ET does gave an event which fires when Session expires - this is [Global.asax].Session_End(...) but it fires on time-out only, which is usually about 20 minutes... Now imagine that a certain login was used, and the browser in which this login was used exited but ASP.NET application on server "doesn't know" yet that the browser exited and this ASP.NET application has to keep continues to keep application state related to login and until Session_End(...) fires this state will be kept, and ASP.Net application will not let to login using the same login, which actually has a "dead session" hanging on server... I can implement "session hijacking & killing" IOW when the same login/password is used while there is a live session running on server side then this second login "kills" first session. That solution looks rather simple to implement but is that the only option? Am I missing simple solution of the subject issue? Thank you. -- Shamil _______________________________________________ dba-VB mailing list dba-VB at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-vb http://www.databaseadvisors.com _______________________________________________ dba-VB mailing list dba-VB at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-vb http://www.databaseadvisors.com