Jim Lawrence
accessd at shaw.ca
Tue Dec 18 08:29:34 CST 2007
Hi Shamil: The login limitations are set at the server end. Everything from who can login, when they can login, how long they can login for, what can be accessed when login is obtained, the level of password complexity and even if they can login in more than once. This is all set at the Server login using roles, groups and policies. The user can be confronted at the splash or landing page to login and from the login the user ability is controlled from the server. That is the server's role and not the responsibility of the presentation section of the application whether desktop of browser. Jim -----Original Message----- From: dba-vb-bounces at databaseadvisors.com [mailto:dba-vb-bounces at databaseadvisors.com] On Behalf Of Shamil Salakhetdinov Sent: Monday, December 17, 2007 1:41 PM To: 'Access-D - VB' Subject: [dba-VB] ASP.NEt 2.0: Forms Authentication: how to prevent using the same login *second* time from another PC when this login is in use in active session? Hi All, I can't find answer/solution for the subject question: - isn't it built-in in ASP.NET 2.0 Forms Authentication? - Am I missing its description somewhere in MSDN or on Web? Here is the issue I wanted to solve: - Forms Authentication is used for and ASP.Net application; - there are two (or more) test PCs; - there are two (or more) testers using these PCs; - these two (or more) testers have a set of shared test login/passwords pairs; - when a certain login/password is used by one tester then ASP.NET application shouldn't allow to use it again from another test PC (or from the same test PC but in another browser instance); - on the other hand if the session where a certain login used expires then obviously this login could be used on the second PC etc.... I'm looking and I can't find something like a simple function, which I expected should have been built-in in ASP.NET Forms Authentication (System.Web.Security.FormsAuthentication class or related classes) 1. DoesGivenLoginHasAnActiveSessionRunning(<loginName>) ... ASP.ET does gave an event which fires when Session expires - this is [Global.asax].Session_End(...) but it fires on time-out only, which is usually about 20 minutes... Now imagine that a certain login was used, and the browser in which this login was used exited but ASP.NET application on server "doesn't know" yet that the browser exited and this ASP.NET application has to keep continues to keep application state related to login and until Session_End(...) fires this state will be kept, and ASP.Net application will not let to login using the same login, which actually has a "dead session" hanging on server... I can implement "session hijacking & killing" IOW when the same login/password is used while there is a live session running on server side then this second login "kills" first session. That solution looks rather simple to implement but is that the only option? Am I missing simple solution of the subject issue? Thank you. -- Shamil _______________________________________________ dba-VB mailing list dba-VB at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-vb http://www.databaseadvisors.com