Gustav Brock
Gustav at cactus.dk
Tue Dec 18 05:10:09 CST 2007
Hi Shamil > Am I missing simple solution of the subject issue? Or maybe I am ...? The difference is that I have only made some careful thoughts about this for an upcoming application, while you are actively dealing with real code and test. In the scenario you describe, which is very likely to happen, at the second login the user would need to make a choice. If he choses to keep the new session, your app kills the first. At the third login, if he choses to keep that, the second session (and the first if still alive) would be killed by the app. On the other hand, if he cancels new a login, the previous session will not be affected while the new session will be killed (message: Login cancelled, session closed). Of course, the browser windows will not close, but if he tries to operate the first or second session, a page will be displayed telling that the session has been closed. If this is not possible, please tell. /gustav >>> shamil at users.mns.ru 18-12-2007 11:30 >>> Hi Gustav, I think I can't use the solution you propose: one of the reasons is that my web application has some context for every logged in user and that context should be unique, and if I implement this: "It appears that you have already logged in. You can either keep that session open and cancel this login, or close that session and continue using this login." then a user will be able to start two, three,... *instances* of a browser on the same PC and if they will select "keep that session open" then they will have the same session in all these browser instances but every of these instances can have different context etc. - all in all that could/will result in a havoc... I'd think the only current workaround is to: - use solution proposed in the articles William referred in this thread; - implement special Admin functionality to "kill" the sessions and their context using User Login names (this functionality will be used by support desk for the impatient users calling them who didn't logout explicitly but who wanted to login back immediately); - (the next is in uppercase because this is how it probably should be done in User Manual) WRITE IN THE USER DOC IN UPPERCASE THAT IF THEY WILL CLOSE THEIR BROWSER WITHOUT LOGGING OUT THEN THEY WILL HAVE TO WAIT xx minutes until their session context expires on server side... Of course this solution doesn't look perfect (or even satisfactory) but it looks like the only one to prevent the havoc? Am I still missing something? -- Shamil -----Original Message----- From: dba-vb-bounces at databaseadvisors.com [mailto:dba-vb-bounces at databaseadvisors.com] On Behalf Of Gustav Brock Sent: Tuesday, December 18, 2007 12:03 PM To: dba-vb at databaseadvisors.com Subject: Re: [dba-VB] ASP.NEt 2.0: Forms Authentication: how toprevent using the same login *second* time from another PCwhen this login is in use in active session? Hi Shamil To me there is no reason to block another login of the same user - the second login attempt may be perfectly legitimate - among others due to a OS crash, the user has changed machine, or the user was interrupted and forgot the first session. A better method, in my opinion, is to check at login if a session with the user credentials exists and, if so, pop a message similar to: It appears that you have already logged in. You can either keep that session open and cancel this login, or close that session and continue using this login. That should cover all scenarios and should make sense for the user. It frees you from time-out considerations and allow you - in the last case - to simply kill the old session. /gustav >>> shamil at users.mns.ru 17-12-2007 22:41 >>> Hi All, I can't find answer/solution for the subject question: - isn't it built-in in ASP.NET 2.0 Forms Authentication? - Am I missing its description somewhere in MSDN or on Web? Here is the issue I wanted to solve: - Forms Authentication is used for and ASP.Net application; - there are two (or more) test PCs; - there are two (or more) testers using these PCs; - these two (or more) testers have a set of shared test login/passwords pairs; - when a certain login/password is used by one tester then ASP.NET application shouldn't allow to use it again from another test PC (or from the same test PC but in another browser instance); - on the other hand if the session where a certain login used expires then obviously this login could be used on the second PC etc.... I'm looking and I can't find something like a simple function, which I expected should have been built-in in ASP.NET Forms Authentication (System.Web.Security.FormsAuthentication class or related classes) 1. DoesGivenLoginHasAnActiveSessionRunning(<loginName>) ... ASP.ET does gave an event which fires when Session expires - this is [Global.asax].Session_End(...) but it fires on time-out only, which is usually about 20 minutes... Now imagine that a certain login was used, and the browser in which this login was used exited but ASP.NET application on server "doesn't know" yet that the browser exited and this ASP.NET application has to keep continues to keep application state related to login and until Session_End(...) fires this state will be kept, and ASP.Net application will not let to login using the same login, which actually has a "dead session" hanging on server... I can implement "session hijacking & killing" IOW when the same login/password is used while there is a live session running on server side then this second login "kills" first session. That solution looks rather simple to implement but is that the only option? Am I missing simple solution of the subject issue? Thank you. -- Shamil