special security/session scenario
From: Petter (petter@montel.no)
Date: 10/14/02
- Next message: Kristian Ask: "Can not create file with ASP.NET from ActiveX"
- Previous message: Richard Pullen: "Webpermission through a webform to a Webservice over a network."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Petter" <petter@montel.no> Date: Mon, 14 Oct 2002 11:10:32 +0200
Scenario: We have over 2000 users in our database.What is different from our
user accounts to common user accounts is that, one or more users can share
the same account. We have a MAXUSERS field in our database telling how many
simultaneous users can be logged on at the same time. In a CURRENTUSER field
we keep track of how many users are logged in with the account. If this
exceeds maxuser, you cannot log in. In ordinary ASP and IIS we kept track of
this with sessions. When the session timed out, the user accounts
currentusers was decreased with one. This almost worked well; we all know
that the session problem (not timing out, lost it, etc). In top of all asp
pages we included a file, testing if the user had a session. If not, he had
to log in..
We are now going to build the site in .net, and I hoped to be able to use
some of the new features that were included.
Form authentication: Instead of including a file in each asp page checking
if the user was logged in(user has a session) .NET integrate this security
with an authentication ticket. But is it possible to set a timeout in the
authentication ticket that the .NET application knows about. So if the user
close his browser or brows to another site and be gone for more than 5
minutes this will fire a function at the server (like session_timeout),
where we can decrease the currentusers for that useraccount. Or is it only
possible to check the authentication ticket when the user uses the site?
I've tried to combine both form authentication and session, so when the
session timed out I tried to call FormsAuthentication.signout(). But the
FormsAuthentication object is not reachable from the session_timeout. And
the session object is not reachable from Application
(Application_AuthenticateRequest). Lets say we use both forms authentication
and session, and the user brows to anohter page. The session_timeout will
fires after 5 minutes, and the currentuser will decrease with one. If this
user brows back to the site, he will not be prompted with a logon, because
he has a authentication ticket...but the currentuser will be decreased by
one so another user can log in with the same account.
So since the user has to be in contact with the site to check the
Authentication ticket???, I guess we are back to only use the session
object?
Am I missing something here?
Best regards
Petter Søreide
- Next message: Kristian Ask: "Can not create file with ASP.NET from ActiveX"
- Previous message: Richard Pullen: "Webpermission through a webform to a Webservice over a network."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
