Re: Web Application Security

From: Paul (paul_at_itssystems.co.uk)
Date: 05/23/03 

Date: Fri, 23 May 2003 15:16:00 +0100

I thought of that, but there is still the problem of ending the other users
session, i.e. if user 1 is logged in, then user 2 loggs in and gets the
message. They then say to log off the other user. The database field (logged
in) will still be flagged as 1 so the other user will still have access to
the pages.

Do you know of any way to loop through all sessions for a particular
website, and look at the "User ID" value for each session. I assume it can
be done, as a lot of web reporting software shows the active sessions for
the website in realtime.

"Gary" <garyrudy2000@yahoo.com> wrote in message
news:0e0701c32132$f6ad74b0$a101280a@phx.gbl...
> Try putting a field in your database that when a user is
> logged in the field will get updated with a "1". Then
> when they log out that field gets updated with a "0".
> Then in your code check for that field. If the field
> is "0" then allow them in. If the field is "1" return a
> message to them indicating they are already logged in and
> can not login again.
>
>
>
> >-----Original Message-----
> >Hi
> >
> >I have several web applications running on IIS, all
> requiring
> >authentication. At the moment I do this by storing users
> in a database, and
> >setting a session variable "UserID" when they log in.
> Authentication is then
> >done in each ASP page and redirects if no session
> variable is set.
> >
> >I now want to stop people logging in from separate
> machines with the same
> >user, i.e. I want to check that their UserID is not
> already stored in any
> >session for that web. If they are already logged in, I
> want to prompt them
> >to log their user off (the other user who is using their
> account). Any
> >ideas, preferably using VB Script to check IIS server
> varaibles???
> >
> >
> >.
> >

Relevant Pages

  • RE: [opensuse] SLES 10 x86_64 - Permissions on password database too restrictive
    ... database too restrictive ... Well, NIS in itself is not an authentication scheme, it only distributes ... I happened to have a session logged on at the time, ...
    (SuSE)
  • Re: Session_start generates Ilegal Instruction under php 4.3.11 Help?
    ... -) require_oncea script which opens MySQL and attaches the database. ... -) If all input was provided, query the database for the username/password pair. ... # Every other admin page will check for authentication, via a session variable. ... # This page both prompts for authentication via a form and also handles the form. ...
    (comp.lang.php)
  • Re: [PHP] Is this the best way?
    ... The info is stored in a MySQL database, and I am using mysqli to connect to it. ... (as opposed to returning half the data and storing half in the session) ... So maybe I should edit my authentication function... ... throw Exception('Cannot '.$cmd.', verification system error.'); ...
    (php.general)
  • Re: Please! Doesnt anyone know a better way to do this?
    ... account, they need to automatically be directed to the page to enter data ... session variable on the Account page. ... I assume here that you're checking a database when the user attempts to ... When a new user attempts to login or clicks to register, ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Retrieving state information from a middle tier
    ... Now this very first call can make session root entry into an xml file like ... We have a middle tier which is made up ... > The current implementation only allows for one database to be served up. ... > longer use the middle tier as the source of the connection properties. ...
    (microsoft.public.dotnet.framework.aspnet)