[dba-VB] ASP.NEt 2.0: Forms Authentication: how to prevent using the same login second time from another PC when this login is in use in active session?

Tue Dec 18 13:31:16 CST 2007

Hi Gustav:

I think someone should either be stopped at the login or allowed to on. By
setting the policies on a group of users, through the Group Policy
Management Console (GPMC), added/attaching the group to the SQL Server >
Security > Logins section. Within GPMC the login ability of a group can set
to only one active session at a time. In effect the MS SQL server is
managing rights of the user. (I have not checked to see whether this ability
is extended to SQL Server Express but I am almost positive it is...) 

Jim

-----Original Message-----
From: dba-vb-bounces at databaseadvisors.com
[mailto:dba-vb-bounces at databaseadvisors.com] On Behalf Of Gustav Brock
Sent: Tuesday, December 18, 2007 6:59 AM
To: dba-vb at databaseadvisors.com
Subject: Re: [dba-VB] ASP.NEt 2.0: Forms Authentication: how to prevent
using the same login *second* time from another PC when this login is in use
in active session?

Hi Jim

So how would you approach this?

/gustav

>>> accessd at shaw.ca 18-12-2007 15:57 >>>
The length of a login session, through the browser should be controlled from
the IIS server. That by default has a 120 second inactivity session
time-out. It can be of course set to anything. This is usually in the
default web site through the IIS manager. This can be changed per web site:
properties > Web Site tab > Connection Timeout/ Enable HTTP Keep-Alives.

If for some reason you bale after login you may find yourself waiting to
login as the IIS server will not immediately know a connection session is no
longer active.

Jim         

-----Original Message-----
From: dba-vb-bounces at databaseadvisors.com 
[mailto:dba-vb-bounces at databaseadvisors.com] On Behalf Of Gustav Brock
Sent: Tuesday, December 18, 2007 1:03 AM
To: dba-vb at databaseadvisors.com 
Subject: Re: [dba-VB] ASP.NEt 2.0: Forms Authentication: how to prevent
using the same login *second* time from another PC when this login is in use
in active session?

Hi Shamil 

To me there is no reason to block another login of the same user - the
second login attempt may be perfectly legitimate - among others due to a OS
crash, the user has changed machine, or the user was interrupted and forgot
the first session.

A better method, in my opinion, is to check at login if a session with the
user credentials exists and, if so, pop a message similar to:

  It appears that you have already logged in. You can either 
  keep that session open and cancel this login, or 
  close that session and continue using this login.

That should cover all scenarios and should make sense for the user. It frees
you from time-out considerations and allow you - in the last case - to
simply kill the old session.

/gustav

>>> shamil at users.mns.ru 17-12-2007 22:41 >>>
Hi All,

I can't find answer/solution for the subject question: 

- isn't it built-in in ASP.NET 2.0 Forms Authentication? 
- Am I missing its description somewhere in MSDN or on Web?

Here is the issue I wanted to solve:

- Forms Authentication is used for and ASP.Net application;
- there are two (or more) test PCs;
- there are two (or more) testers using these PCs;
- these two (or more) testers have a set of shared test login/passwords
pairs;
- when a certain login/password is used by one tester then ASP.NET
application shouldn't allow to use it again from another test PC (or from
the same test PC but in another browser instance);
- on the other hand if the session where a certain login used expires then
obviously this login could be used on the second PC etc....

I'm looking and I can't find something like a simple function, which I
expected should have been built-in in ASP.NET Forms Authentication
(System.Web.Security.FormsAuthentication class or related classes)

1. DoesGivenLoginHasAnActiveSessionRunning(<loginName>)
...

ASP.ET does gave an event which fires when Session expires - this is
[Global.asax].Session_End(...) but it fires on time-out only, which is
usually about 20 minutes...

Now imagine that a certain login was used, and the browser in which this
login was used exited but ASP.NET application on server "doesn't know" yet
that the browser exited and this ASP.NET application has to keep continues
to keep application state related to login and until Session_End(...) fires
this state will be kept, and ASP.Net application will not let to login using
the same login, which actually has a "dead session" hanging on server...

I can implement "session hijacking & killing" IOW when the same
login/password is used while there is a live session running on server side
then this second login "kills" first session. That solution looks rather
simple to implement but is that the only option?

Am I missing simple solution of the subject issue? 

Thank you. 

--
Shamil

_______________________________________________
dba-VB mailing list
dba-VB at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-vb
http://www.databaseadvisors.com

[dba-VB] ASP.NEt 2.0: Forms Authentication: how to prevent using the same login *second* time from another PC when this login is in use in active session?

[dba-VB] ASP.NEt 2.0: Forms Authentication: how to prevent using the same login second time from another PC when this login is in use in active session?