Hi
I face this challenge:
An existing site with 50000+ html-files needs to be protected by a custom
login-system which has two goals:
1. Protect HTML-content (authentication required)
2. If the same username is used by two persons at the same time, they have
to be logged out (when a login is used, other users currently logged in
using the same login need to be logged out).
It is not an option to modify the html-files.
I enabled forms authentication, and created login-code. This works great. I
also made sure asp.net processes html-files, so unauthenticated users are
sent to the login-screen. So far so good.
As for goal two, logging people using same login out, it's a bit more
challenging.
When a user (User A) logs in, I give the user a custom session-id, which I
store in the database and in a session-variable. If a new user logs in using
the same credentials (User B) , the session of the User A expires in the
database. The next time User A requests a page, I need to log User A out.
I have managed to get that working for .aspx-files using global.asax and the
Application_PreRequestHandlerExecute-sub (context.session is not available
in Application_BeginRequest). I use the section to check in a db if the
session is still valid - and if not I redirect to the login-page.
This section Application_PreRequestHandlerExecute also fires for a user who
requests a html-file, but the context.session object is not available. I get
an error that Context.session is nothing. It is however available when the
user requests a .aspx-file. That means I can't get a hold of the
session-variable I need, in order to check the users status in the db (if
the session is still valid).
How can I work around this? Other ideas are also welcome.
I know this is a bit complicated to explain, I hope I managed to get the
message through. :)
Thanks in advance
- Klaus
