[dba-VB] ASP.NEt 2.0: Forms Authentication: how topreven using the same login *second* time from another PCwhen this login is in use in active session?

Shamil Salakhetdinov shamil at users.mns.ru
Tue Dec 18 04:30:25 CST 2007


Hi Gustav,

I think I can't use the solution you propose: one of the reasons is that my
web application has some context for every logged in user and that context
should be unique, and if I implement this:

  "It appears that you have already logged in. You can either 
  keep that session open and cancel this login, or 
  close that session and continue using this login."

then a user will be able to start two, three,... *instances* of a browser on
the same PC and if they will select "keep that session open" then they will
have the same session in all these browser instances but every of these
instances can have different context etc. - all in all that could/will
result in a havoc...

I'd think the only current workaround is to:

- use solution proposed in the articles William referred in this thread;
- implement special Admin functionality to "kill" the sessions and their
context using User Login names (this functionality will be used by support
desk for the impatient users calling them who didn't logout explicitly but
who wanted to login back immediately);
- (the next is in uppercase because this is how it probably should be done
in User Manual) WRITE IN THE USER DOC IN UPPERCASE THAT IF THEY WILL CLOSE
THEIR BROWSER WITHOUT LOGGING OUT THEN THEY WILL HAVE TO WAIT xx minutes
until their session context expires on server side...

Of course this solution doesn't look perfect (or even satisfactory) but it
looks like the only one to prevent the havoc?

Am I still missing something?

--
Shamil
 
-----Original Message-----
From: dba-vb-bounces at databaseadvisors.com
[mailto:dba-vb-bounces at databaseadvisors.com] On Behalf Of Gustav Brock
Sent: Tuesday, December 18, 2007 12:03 PM
To: dba-vb at databaseadvisors.com
Subject: Re: [dba-VB] ASP.NEt 2.0: Forms Authentication: how toprevent using
the same login *second* time from another PCwhen this login is in use in
active session?

Hi Shamil 

To me there is no reason to block another login of the same user - the
second login attempt may be perfectly legitimate - among others due to a OS
crash, the user has changed machine, or the user was interrupted and forgot
the first session.

A better method, in my opinion, is to check at login if a session with the
user credentials exists and, if so, pop a message similar to:

  It appears that you have already logged in. You can either 
  keep that session open and cancel this login, or 
  close that session and continue using this login.

That should cover all scenarios and should make sense for the user. It frees
you from time-out considerations and allow you - in the last case - to
simply kill the old session.

/gustav

>>> shamil at users.mns.ru 17-12-2007 22:41 >>>
Hi All,

I can't find answer/solution for the subject question: 

- isn't it built-in in ASP.NET 2.0 Forms Authentication? 
- Am I missing its description somewhere in MSDN or on Web?

Here is the issue I wanted to solve:

- Forms Authentication is used for and ASP.Net application;
- there are two (or more) test PCs;
- there are two (or more) testers using these PCs;
- these two (or more) testers have a set of shared test login/passwords
pairs;
- when a certain login/password is used by one tester then ASP.NET
application shouldn't allow to use it again from another test PC (or from
the same test PC but in another browser instance);
- on the other hand if the session where a certain login used expires then
obviously this login could be used on the second PC etc....

I'm looking and I can't find something like a simple function, which I
expected should have been built-in in ASP.NET Forms Authentication
(System.Web.Security.FormsAuthentication class or related classes)

1. DoesGivenLoginHasAnActiveSessionRunning(<loginName>)
...

ASP.ET does gave an event which fires when Session expires - this is
[Global.asax].Session_End(...) but it fires on time-out only, which is
usually about 20 minutes...

Now imagine that a certain login was used, and the browser in which this
login was used exited but ASP.NET application on server "doesn't know" yet
that the browser exited and this ASP.NET application has to keep continues
to keep application state related to login and until Session_End(...) fires
this state will be kept, and ASP.Net application will not let to login using
the same login, which actually has a "dead session" hanging on server...

I can implement "session hijacking & killing" IOW when the same
login/password is used while there is a live session running on server side
then this second login "kills" first session. That solution looks rather
simple to implement but is that the only option?

Am I missing simple solution of the subject issue? 

Thank you. 

--
Shamil



_______________________________________________
dba-VB mailing list
dba-VB at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-vb
http://www.databaseadvisors.com




More information about the dba-VB mailing list