For reasons I won't get into here, I'd be curious if anyone has
tried to write an ASP.NET 2.0 site that could restrict the number of active
sessions
before disabling the application. By disable, I mean just stop the site
from functioning properly. Of course, the solution would need to be
"relatively " tamper proof.
I've worked up specs for this but was interested in the opinions
of others and any pitfalls they may have faced that I might not
have considered.
--
Robbe Morris [Microsoft MVP - Visual C#]
..NET PropertyGrid Control - ListBox, ComboBox, and Custom Classes http://www.eggheadcafe.com/tutorials...d-control.aspx 9  1727 
That's pretty much what I would have proposed - though I have never tried to
do this either.
IMHO there's no need to check the session variable at the top of every page
though - session variables are available in the
Application_Pre RequestHandlerE xecute handler in global.asax so that would do
just as well
Also you could help mitigate the "user closes window without clicking
logout" problem with some javascript that fires when the window closes (and
maybe even when the user navigates away)
Andy
"Mark Rae [MVP]" <ma**@markNOSPA Mrae.netwrote in message
news:uJ******** ******@TK2MSFTN GP05.phx.gbl...
"Robbe Morris - [MVP] C#" <in**@eggheadca fe.comwrote in message
news:e2******** ******@TK2MSFTN GP04.phx.gbl...
>tried to write an ASP.NET 2.0 site that could restrict the number of
active sessions before disabling the application.
I haven't, but I'd have thought it would be fairly simple in essence...
1) In Application_Sta rt, instantiate an Application variable e.g.
Application["Sessions"] = 0;
2) In Session_Start check the value
if ((int)Applicati on["Sessions"] n)
{
// do something - maybe redirect to another page
Session["OKToProcee d"] = false;
}
else
{
Application["Session"] = (int)Applicatio n["Session"] + 1;
Session["OKToProcee d"] = true;
}
3) In Session_End decrement the value
Application["Session"] = (int)Applicatio n["Session"] - 1;
As for pitfalls...
If you're not using inproc session management the Session_End event won't
fire.
There's no way of knowing if someone has left your site unless they click
a "Logout" button or something behind which you call Sesson_Abandon( ) -
this means that if your limit was 100 sessions and 100 users accessed the
site simultaneously and then closed their browser straightaway, no other
user could get until the 100 sessions had timed out...
You'll need to check for Session["OKToProcee d"] on every page, otherwise
users will just get to your warning page and then type default.aspx (or
whatever) into their browser's address bar - create a page base class or
use a MasterPage...
--
Mark Rae
ASP.NET MVP
http://www.markrae.net
"Andy Fish" <aj****@blueyon der.co.ukwrote in message
news:%2******** ********@TK2MSF TNGP04.phx.gbl. ..
IMHO there's no need to check the session variable at the top of every
page though - session variables are available in the
Application_Pre RequestHandlerE xecute handler in global.asax so that would
do just as well
True enough...
Also you could help mitigate the "user closes window without clicking
logout" problem with some javascript that fires when the window closes
(and maybe even when the user navigates away)
That solution has come up quite frequently in here, but is very unreliable
for fairly obvious reasons...
--
Mark Rae
ASP.NET MVP http://www.markrae.net
Thanks guys. Basically, I'll be offering a version of the web site
for testing purposes. But, I don't want that version of the web site
deployed to a server and used. So, the session management need
to deal with expired sessions isn't big. But, the tamper proof part is.
I wouldn't want the capability of a developer deploying assemblies
or script code that could overwrite my counters at runtime.
--
Robbe Morris [Microsoft MVP - Visual C#]
..NET PropertyGrid Control - ListBox, ComboBox, and Custom Classes http://www.eggheadcafe.com/tutorials...d-control.aspx
"Mark Rae [MVP]" <ma**@markNOSPA Mrae.netwrote in message
news:%2******** ********@TK2MSF TNGP04.phx.gbl. ..
"Andy Fish" <aj****@blueyon der.co.ukwrote in message
news:%2******** ********@TK2MSF TNGP04.phx.gbl. ..
>IMHO there's no need to check the session variable at the top of every
page though - session variables are available in the
Application_Pr eRequestHandler Execute handler in global.asax so that would
do just as well
True enough...
>Also you could help mitigate the "user closes window without clicking
logout" problem with some javascript that fires when the window closes
(and maybe even when the user navigates away)
That solution has come up quite frequently in here, but is very unreliable
for fairly obvious reasons...
--
Mark Rae
ASP.NET MVP
http://www.markrae.net
"Robbe Morris - [MVP] C#" <in**@eggheadca fe.comwrote in message
news:Ol******** ******@TK2MSFTN GP02.phx.gbl...
Thanks guys. Basically, I'll be offering a version of the web site
for testing purposes. But, I don't want that version of the web site
deployed to a server and used. So, the session management need
to deal with expired sessions isn't big. But, the tamper proof part is.
I wouldn't want the capability of a developer deploying assemblies
or script code that could overwrite my counters at runtime.
Ah - well the Application / Session method won't help at all, then...
All somebody would need to do is drop a simple page onto your site with
inline server code to get round it by setting your Application variable to
e.g. -10000000
As soon as they typed the address of the page directly into the browser, it
would reset the Application variable...
--
Mark Rae
ASP.NET MVP http://www.markrae.net
Well if application is precompiled and the name for that Application
variable not obvious, like Session_count then it might work
George
"Mark Rae [MVP]" <ma**@markNOSPA Mrae.netwrote in message
news:%2******** ********@TK2MSF TNGP02.phx.gbl. ..
"Robbe Morris - [MVP] C#" <in**@eggheadca fe.comwrote in message
news:Ol******** ******@TK2MSFTN GP02.phx.gbl...
>Thanks guys. Basically, I'll be offering a version of the web site
for testing purposes. But, I don't want that version of the web site
deployed to a server and used. So, the session management need
to deal with expired sessions isn't big. But, the tamper proof part is.
I wouldn't want the capability of a developer deploying assemblies
or script code that could overwrite my counters at runtime.
Ah - well the Application / Session method won't help at all, then...
All somebody would need to do is drop a simple page onto your site with
inline server code to get round it by setting your Application variable to
e.g. -10000000
As soon as they typed the address of the page directly into the browser,
it would reset the Application variable...
--
Mark Rae
ASP.NET MVP
http://www.markrae.net
Yep. I figured I'd have to bury checks for operating system and
session counter (not stored in application or session variables) deep
inside some of the assemblies. If the code is obfuscated and perhaps
has some tamper proofing software run on it "should" be ok.
Of course, the OS could be a server platform running on a laptop
or perhaps just a virtual image. But, it would reduce the number
of potential tampers significantly.
Was just curious if anyone else had travelled down this road
before.
--
Robbe Morris [Microsoft MVP - Visual C#]
..NET PropertyGrid Control - ListBox, ComboBox, and Custom Classes http://www.eggheadcafe.com/tutorials...d-control.aspx
"Mark Rae [MVP]" <ma**@markNOSPA Mrae.netwrote in message
news:%2******** ********@TK2MSF TNGP02.phx.gbl. ..
"Robbe Morris - [MVP] C#" <in**@eggheadca fe.comwrote in message
news:Ol******** ******@TK2MSFTN GP02.phx.gbl...
>Thanks guys. Basically, I'll be offering a version of the web site
for testing purposes. But, I don't want that version of the web site
deployed to a server and used. So, the session management need
to deal with expired sessions isn't big. But, the tamper proof part is.
I wouldn't want the capability of a developer deploying assemblies
or script code that could overwrite my counters at runtime.
Ah - well the Application / Session method won't help at all, then...
All somebody would need to do is drop a simple page onto your site with
inline server code to get round it by setting your Application variable to
e.g. -10000000
As soon as they typed the address of the page directly into the browser,
it would reset the Application variable...
--
Mark Rae
ASP.NET MVP
http://www.markrae.net
"George Ter-Saakov" <gt****@cardone .comwrote in message
news:uO******** ******@TK2MSFTN GP04.phx.gbl...
Well if application is precompiled
Even if it is, a page with inline code would still run, right...?
--
Mark Rae
ASP.NET MVP http://www.markrae.net
It will not. It will give you an exception. "Applicatio n has been
precompiled and you can not change it" (something like that).
George.
"Mark Rae [MVP]" <ma**@markNOSPA Mrae.netwrote in message
news:Ol******** ******@TK2MSFTN GP05.phx.gbl...
"George Ter-Saakov" <gt****@cardone .comwrote in message
news:uO******** ******@TK2MSFTN GP04.phx.gbl...
>Well if application is precompiled
Even if it is, a page with inline code would still run, right...?
--
Mark Rae
ASP.NET MVP
http://www.markrae.net
"George Ter-Saakov" <gt****@cardone .comwrote in message
news:Oh******** ******@TK2MSFTN GP05.phx.gbl...
>>Well if application is precompiled
Even if it is, a page with inline code would still run, right...?
It will not. It will give you an exception. "Applicatio n has been
precompiled and you can not change it" (something like that).
OK. Thanks for that...
--
Mark Rae
ASP.NET MVP http://www.markrae.net This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Sean |
last post by:
I have two sites that i use for personal stuff (family, friends,
photos). They are PHP sites butim not a programmer. They were setup
by a friend who no longer helps with them. There are some things with
the Gallery upload and topics that just don't work anymore. I suspect
it would be trivial for someone who knows PHP to fix. I am willing to
pay $100 a year for someone to keep the sites up and running...minimal
time is needed.
...
|
by: Mudge |
last post by:
Hi,
I want to build a Web site using CSS, HTML, and PHP. I noticed that a lot of
other Web sites use a lot of graphical pictures, logos, icons, etc to give
the page a certain look. It's part of the design of the Web sites.
I wanted to know if I can use GIMP to make these same kinds of pictures to
design my Web site. Also, can GIMP do the same things as photoshop or
fireworks and such graphics software? Also, does anybody know of any...
|
by: Robert Oschler |
last post by:
Hello,
I've been perusing a book on Zope I have, and I'm still not quite "getting
it". Can someone give me the URL's of 2 or 3 top-notch sites built upon
Zope, so I can see what it's really all about? Is it a phpNuke type thing?
How popular is it?
Thanks.
|
by: bob_smith_17280 |
last post by:
Hello,
I'm doing a small website survey as a consultant for a company that has
a large private lan. Basically, I'm trying to determine how many web
sites there are on their network and what content the sites contain
(scary how they don't know this, but I suspect many companies are this
way).
Everything is going fine so far except for sites that require passwds
to be accessed. I don't want to view content on these sites, I only
|
by: RFox |
last post by:
I date back to the early days of the web when HTML was limited
but very managable, and have always maintained that hand-coding
HTML gives you far better control and cleaner HTML markup than
any WYSIWYG editor.
But all the sites I created and manage are small sites (<50 pages).
And I've been out of the loop in terms of what's new in
methodology and with the specifications for the past couple
of years.
| | |
by: hospedagem de site hospedagem de sites |
last post by:
Tudo sobre hospedagem de sites , planos profissionais , economicos e
muitos outros , sua empresa na internet por apenas 2,99 ao mês!
http://www.hosting4u.com.br
hospedagem hospedagem hospedagem hospedagem hospedagem hospedagem hospedagem
hospedagem hospedagem hospedagem hospedagem hospedagem hospedagem hospedagem
hospedagem hospedagem hospedagem hospedagem hospedagem hospedagem hospedagem
|
by: FindJobEasy.com |
last post by:
With so many job sites on the internet, it is almost impossible for you
to search them all.
http://www.findjobeasy.com
is a job search engine. Multiple job sites will be searched just by one
simple click. The online job search option will search 12 popular job
sites online. You can also leave search criteria and get an e-mailed
job list with job search results from over 50 job sites.
|
by: Tobin Harris |
last post by:
Hi there,
I've been looking at the out-of-the-box eCommerce sites recently. We're
hoping to save some time and money by using an existing product as a
starting point. My clients needs are quite advanced, so we don't think the
IBuySpy starter kit is mature enough (although we may be wrong). We're not
afraid of developing our own features etc, it would just be nice to get the
best head start!
I was wondering if anyone has any...
|
by: Goofy |
last post by:
We are going to be using PDA's running windows Mobile 5 soon and I have been
asked how we can use a dynamically built forms on the server which will work
with both normal web browsers and PDA's running windows mobile 5.
Any pointers on this would be great.
Thanks
--
Goofy
|
by: Stuart Ferguson |
last post by:
I have 2 web sites which are a login page on one web site and the core
of my application on a second website.
I am looking for a simple way to pass the login information securely
between the two sites. Is there anything built into the .NET framework
to achieve this or do I have to go down the route of using an encrypted
cookie for example?
Any help would be appreciated.
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
| | |
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
