Shamil Salakhetdinov
shamil at users.mns.ru
Tue Dec 18 09:52:05 CST 2007
Hello Gustav, The subject issue sounds simple but it looks like it doesn't have a "perfect" solution: there are so many issues involved here starting from usability, scalability, stateless/stateful apps, current context,....., and ending in application access roles, membership and security - there are so many that issues that we can discuss them here endlessly - my Internet search from yesterday evening and this day gave me many sometimes contradictory "hints" that I must say I should abandon all of them and just use "common sense" here: agree with customer what way to solve the subject issue suites my customer best of all and just implement it: - we currently agreed it's not a problem for a user to wait for 15-30 minutes for an abandoned session to expire, and for testing purposes I will have "killing" functionality implemented - later on when all the other custom functionality will be ready I will try to find out is it possible to release this "killing sessions" functionality for user mode system access - if that will not look hazardous to the system consistency then I will adjust and release this "session killing" functionality... (the apps under development does have a part talking to the external Credit Card processing provider/server - and this is two/three steps process which should be better not interrupted at least when external server talks back to our app which should process this answer in one go: yes, I can program it that way but better later than now because as usual time frame to finish development and release the first public version is very strict... -- Shamil -----Original Message----- From: dba-vb-bounces at databaseadvisors.com [mailto:dba-vb-bounces at databaseadvisors.com] On Behalf Of Gustav Brock Sent: Tuesday, December 18, 2007 2:10 PM To: dba-vb at databaseadvisors.com Subject: Re: [dba-VB] ASP.NEt 2.0: Forms Authentication: how toprevent using the same login *second* time from another PCwhen this login is in use in active session? Hi Shamil > Am I missing simple solution of the subject issue? Or maybe I am ...? The difference is that I have only made some careful thoughts about this for an upcoming application, while you are actively dealing with real code and test. In the scenario you describe, which is very likely to happen, at the second login the user would need to make a choice. If he choses to keep the new session, your app kills the first. At the third login, if he choses to keep that, the second session (and the first if still alive) would be killed by the app. On the other hand, if he cancels new a login, the previous session will not be affected while the new session will be killed (message: Login cancelled, session closed). Of course, the browser windows will not close, but if he tries to operate the first or second session, a page will be displayed telling that the session has been closed. If this is not possible, please tell. /gustav >>> shamil at users.mns.ru 18-12-2007 11:30 >>> Hi Gustav, I think I can't use the solution you propose: one of the reasons is that my web application has some context for every logged in user and that context should be unique, and if I implement this: "It appears that you have already logged in. You can either keep that session open and cancel this login, or close that session and continue using this login." then a user will be able to start two, three,... *instances* of a browser on the same PC and if they will select "keep that session open" then they will have the same session in all these browser instances but every of these instances can have different context etc. - all in all that could/will result in a havoc... I'd think the only current workaround is to: - use solution proposed in the articles William referred in this thread; - implement special Admin functionality to "kill" the sessions and their context using User Login names (this functionality will be used by support desk for the impatient users calling them who didn't logout explicitly but who wanted to login back immediately); - (the next is in uppercase because this is how it probably should be done in User Manual) WRITE IN THE USER DOC IN UPPERCASE THAT IF THEY WILL CLOSE THEIR BROWSER WITHOUT LOGGING OUT THEN THEY WILL HAVE TO WAIT xx minutes until their session context expires on server side... Of course this solution doesn't look perfect (or even satisfactory) but it looks like the only one to prevent the havoc? Am I still missing something? -- Shamil -----Original Message----- From: dba-vb-bounces at databaseadvisors.com [mailto:dba-vb-bounces at databaseadvisors.com] On Behalf Of Gustav Brock Sent: Tuesday, December 18, 2007 12:03 PM To: dba-vb at databaseadvisors.com Subject: Re: [dba-VB] ASP.NEt 2.0: Forms Authentication: how toprevent using the same login *second* time from another PCwhen this login is in use in active session? Hi Shamil To me there is no reason to block another login of the same user - the second login attempt may be perfectly legitimate - among others due to a OS crash, the user has changed machine, or the user was interrupted and forgot the first session. A better method, in my opinion, is to check at login if a session with the user credentials exists and, if so, pop a message similar to: It appears that you have already logged in. You can either keep that session open and cancel this login, or close that session and continue using this login. That should cover all scenarios and should make sense for the user. It frees you from time-out considerations and allow you - in the last case - to simply kill the old session. /gustav >>> shamil at users.mns.ru 17-12-2007 22:41 >>> Hi All, I can't find answer/solution for the subject question: - isn't it built-in in ASP.NET 2.0 Forms Authentication? - Am I missing its description somewhere in MSDN or on Web? Here is the issue I wanted to solve: - Forms Authentication is used for and ASP.Net application; - there are two (or more) test PCs; - there are two (or more) testers using these PCs; - these two (or more) testers have a set of shared test login/passwords pairs; - when a certain login/password is used by one tester then ASP.NET application shouldn't allow to use it again from another test PC (or from the same test PC but in another browser instance); - on the other hand if the session where a certain login used expires then obviously this login could be used on the second PC etc.... I'm looking and I can't find something like a simple function, which I expected should have been built-in in ASP.NET Forms Authentication (System.Web.Security.FormsAuthentication class or related classes) 1. DoesGivenLoginHasAnActiveSessionRunning(<loginName>) ... ASP.ET does gave an event which fires when Session expires - this is [Global.asax].Session_End(...) but it fires on time-out only, which is usually about 20 minutes... Now imagine that a certain login was used, and the browser in which this login was used exited but ASP.NET application on server "doesn't know" yet that the browser exited and this ASP.NET application has to keep continues to keep application state related to login and until Session_End(...) fires this state will be kept, and ASP.Net application will not let to login using the same login, which actually has a "dead session" hanging on server... I can implement "session hijacking & killing" IOW when the same login/password is used while there is a live session running on server side then this second login "kills" first session. That solution looks rather simple to implement but is that the only option? Am I missing simple solution of the subject issue? Thank you. -- Shamil _______________________________________________ dba-VB mailing list dba-VB at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-vb http://www.databaseadvisors.com