Jim Lawrence
accessd at shaw.ca
Tue Dec 18 08:57:47 CST 2007
The length of a login session, through the browser should be controlled from the IIS server. That by default has a 120 second inactivity session time-out. It can be of course set to anything. This is usually in the default web site through the IIS manager. This can be changed per web site: properties > Web Site tab > Connection Timeout/ Enable HTTP Keep-Alives. If for some reason you bale after login you may find yourself waiting to login as the IIS server will not immediately know a connection session is no longer active. Jim -----Original Message----- From: dba-vb-bounces at databaseadvisors.com [mailto:dba-vb-bounces at databaseadvisors.com] On Behalf Of Gustav Brock Sent: Tuesday, December 18, 2007 1:03 AM To: dba-vb at databaseadvisors.com Subject: Re: [dba-VB] ASP.NEt 2.0: Forms Authentication: how to prevent using the same login *second* time from another PC when this login is in use in active session? Hi Shamil To me there is no reason to block another login of the same user - the second login attempt may be perfectly legitimate - among others due to a OS crash, the user has changed machine, or the user was interrupted and forgot the first session. A better method, in my opinion, is to check at login if a session with the user credentials exists and, if so, pop a message similar to: It appears that you have already logged in. You can either keep that session open and cancel this login, or close that session and continue using this login. That should cover all scenarios and should make sense for the user. It frees you from time-out considerations and allow you - in the last case - to simply kill the old session. /gustav >>> shamil at users.mns.ru 17-12-2007 22:41 >>> Hi All, I can't find answer/solution for the subject question: - isn't it built-in in ASP.NET 2.0 Forms Authentication? - Am I missing its description somewhere in MSDN or on Web? Here is the issue I wanted to solve: - Forms Authentication is used for and ASP.Net application; - there are two (or more) test PCs; - there are two (or more) testers using these PCs; - these two (or more) testers have a set of shared test login/passwords pairs; - when a certain login/password is used by one tester then ASP.NET application shouldn't allow to use it again from another test PC (or from the same test PC but in another browser instance); - on the other hand if the session where a certain login used expires then obviously this login could be used on the second PC etc.... I'm looking and I can't find something like a simple function, which I expected should have been built-in in ASP.NET Forms Authentication (System.Web.Security.FormsAuthentication class or related classes) 1. DoesGivenLoginHasAnActiveSessionRunning(<loginName>) ... ASP.ET does gave an event which fires when Session expires - this is [Global.asax].Session_End(...) but it fires on time-out only, which is usually about 20 minutes... Now imagine that a certain login was used, and the browser in which this login was used exited but ASP.NET application on server "doesn't know" yet that the browser exited and this ASP.NET application has to keep continues to keep application state related to login and until Session_End(...) fires this state will be kept, and ASP.Net application will not let to login using the same login, which actually has a "dead session" hanging on server... I can implement "session hijacking & killing" IOW when the same login/password is used while there is a live session running on server side then this second login "kills" first session. That solution looks rather simple to implement but is that the only option? Am I missing simple solution of the subject issue? Thank you. -- Shamil _______________________________________________ dba-VB mailing list dba-VB at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-vb http://www.databaseadvisors.com