For reasons I won't get into here, I'd be curious if anyone has
tried to write an ASP.NET 2.0 site that could restrict the number of active
sessions
before disabling the application. By disable, I mean just stop the site
from functioning properly. Of course, the solution would need to be
"relatively" tamper proof.
I've worked up specs for this but was interested in the opinions
of others and any pitfalls they may have faced that I might not
have considered.
--
Robbe Morris [Microsoft MVP - Visual C#]
..NET PropertyGrid Control - ListBox, ComboBox, and Custom Classes http://www.eggheadcafe.com/tutorials...d-control.aspx 9  1711 
That's pretty much what I would have proposed - though I have never tried to
do this either.
IMHO there's no need to check the session variable at the top of every page
though - session variables are available in the
Application_PreRequestHandlerExecute handler in global.asax so that would do
just as well
Also you could help mitigate the "user closes window without clicking
logout" problem with some javascript that fires when the window closes (and
maybe even when the user navigates away)
Andy
"Mark Rae [MVP]" <ma**@markNOSPAMrae.netwrote in message
news:uJ**************@TK2MSFTNGP05.phx.gbl...
"Robbe Morris - [MVP] C#" <in**@eggheadcafe.comwrote in message
news:e2**************@TK2MSFTNGP04.phx.gbl...
>tried to write an ASP.NET 2.0 site that could restrict the number of
active sessions before disabling the application.
I haven't, but I'd have thought it would be fairly simple in essence...
1) In Application_Start, instantiate an Application variable e.g.
Application["Sessions"] = 0;
2) In Session_Start check the value
if ((int)Application["Sessions"] n)
{
// do something - maybe redirect to another page
Session["OKToProceed"] = false;
}
else
{
Application["Session"] = (int)Application["Session"] + 1;
Session["OKToProceed"] = true;
}
3) In Session_End decrement the value
Application["Session"] = (int)Application["Session"] - 1;
As for pitfalls...
If you're not using inproc session management the Session_End event won't
fire.
There's no way of knowing if someone has left your site unless they click
a "Logout" button or something behind which you call Sesson_Abandon() -
this means that if your limit was 100 sessions and 100 users accessed the
site simultaneously and then closed their browser straightaway, no other
user could get until the 100 sessions had timed out...
You'll need to check for Session["OKToProceed"] on every page, otherwise
users will just get to your warning page and then type default.aspx (or
whatever) into their browser's address bar - create a page base class or
use a MasterPage...
--
Mark Rae
ASP.NET MVP
http://www.markrae.net
"Andy Fish" <aj****@blueyonder.co.ukwrote in message
news:%2****************@TK2MSFTNGP04.phx.gbl...
IMHO there's no need to check the session variable at the top of every
page though - session variables are available in the
Application_PreRequestHandlerExecute handler in global.asax so that would
do just as well
True enough...
Also you could help mitigate the "user closes window without clicking
logout" problem with some javascript that fires when the window closes
(and maybe even when the user navigates away)
That solution has come up quite frequently in here, but is very unreliable
for fairly obvious reasons...
--
Mark Rae
ASP.NET MVP http://www.markrae.net
Thanks guys. Basically, I'll be offering a version of the web site
for testing purposes. But, I don't want that version of the web site
deployed to a server and used. So, the session management need
to deal with expired sessions isn't big. But, the tamper proof part is.
I wouldn't want the capability of a developer deploying assemblies
or script code that could overwrite my counters at runtime.
--
Robbe Morris [Microsoft MVP - Visual C#]
..NET PropertyGrid Control - ListBox, ComboBox, and Custom Classes http://www.eggheadcafe.com/tutorials...d-control.aspx
"Mark Rae [MVP]" <ma**@markNOSPAMrae.netwrote in message
news:%2****************@TK2MSFTNGP04.phx.gbl...
"Andy Fish" <aj****@blueyonder.co.ukwrote in message
news:%2****************@TK2MSFTNGP04.phx.gbl...
>IMHO there's no need to check the session variable at the top of every
page though - session variables are available in the
Application_PreRequestHandlerExecute handler in global.asax so that would
do just as well
True enough...
>Also you could help mitigate the "user closes window without clicking
logout" problem with some javascript that fires when the window closes
(and maybe even when the user navigates away)
That solution has come up quite frequently in here, but is very unreliable
for fairly obvious reasons...
--
Mark Rae
ASP.NET MVP
http://www.markrae.net
"Robbe Morris - [MVP] C#" <in**@eggheadcafe.comwrote in message
news:Ol**************@TK2MSFTNGP02.phx.gbl...
Thanks guys. Basically, I'll be offering a version of the web site
for testing purposes. But, I don't want that version of the web site
deployed to a server and used. So, the session management need
to deal with expired sessions isn't big. But, the tamper proof part is.
I wouldn't want the capability of a developer deploying assemblies
or script code that could overwrite my counters at runtime.
Ah - well the Application / Session method won't help at all, then...
All somebody would need to do is drop a simple page onto your site with
inline server code to get round it by setting your Application variable to
e.g. -10000000
As soon as they typed the address of the page directly into the browser, it
would reset the Application variable...
--
Mark Rae
ASP.NET MVP http://www.markrae.net
Well if application is precompiled and the name for that Application
variable not obvious, like Session_count then it might work
George
"Mark Rae [MVP]" <ma**@markNOSPAMrae.netwrote in message
news:%2****************@TK2MSFTNGP02.phx.gbl...
"Robbe Morris - [MVP] C#" <in**@eggheadcafe.comwrote in message
news:Ol**************@TK2MSFTNGP02.phx.gbl...
>Thanks guys. Basically, I'll be offering a version of the web site
for testing purposes. But, I don't want that version of the web site
deployed to a server and used. So, the session management need
to deal with expired sessions isn't big. But, the tamper proof part is.
I wouldn't want the capability of a developer deploying assemblies
or script code that could overwrite my counters at runtime.
Ah - well the Application / Session method won't help at all, then...
All somebody would need to do is drop a simple page onto your site with
inline server code to get round it by setting your Application variable to
e.g. -10000000
As soon as they typed the address of the page directly into the browser,
it would reset the Application variable...
--
Mark Rae
ASP.NET MVP
http://www.markrae.net
Yep. I figured I'd have to bury checks for operating system and
session counter (not stored in application or session variables) deep
inside some of the assemblies. If the code is obfuscated and perhaps
has some tamper proofing software run on it "should" be ok.
Of course, the OS could be a server platform running on a laptop
or perhaps just a virtual image. But, it would reduce the number
of potential tampers significantly.
Was just curious if anyone else had travelled down this road
before.
--
Robbe Morris [Microsoft MVP - Visual C#]
..NET PropertyGrid Control - ListBox, ComboBox, and Custom Classes http://www.eggheadcafe.com/tutorials...d-control.aspx
"Mark Rae [MVP]" <ma**@markNOSPAMrae.netwrote in message
news:%2****************@TK2MSFTNGP02.phx.gbl...
"Robbe Morris - [MVP] C#" <in**@eggheadcafe.comwrote in message
news:Ol**************@TK2MSFTNGP02.phx.gbl...
>Thanks guys. Basically, I'll be offering a version of the web site
for testing purposes. But, I don't want that version of the web site
deployed to a server and used. So, the session management need
to deal with expired sessions isn't big. But, the tamper proof part is.
I wouldn't want the capability of a developer deploying assemblies
or script code that could overwrite my counters at runtime.
Ah - well the Application / Session method won't help at all, then...
All somebody would need to do is drop a simple page onto your site with
inline server code to get round it by setting your Application variable to
e.g. -10000000
As soon as they typed the address of the page directly into the browser,
it would reset the Application variable...
--
Mark Rae
ASP.NET MVP
http://www.markrae.net
"George Ter-Saakov" <gt****@cardone.comwrote in message
news:uO**************@TK2MSFTNGP04.phx.gbl...
Well if application is precompiled
Even if it is, a page with inline code would still run, right...?
--
Mark Rae
ASP.NET MVP http://www.markrae.net
It will not. It will give you an exception. "Application has been
precompiled and you can not change it" (something like that).
George.
"Mark Rae [MVP]" <ma**@markNOSPAMrae.netwrote in message
news:Ol**************@TK2MSFTNGP05.phx.gbl...
"George Ter-Saakov" <gt****@cardone.comwrote in message
news:uO**************@TK2MSFTNGP04.phx.gbl...
>Well if application is precompiled
Even if it is, a page with inline code would still run, right...?
--
Mark Rae
ASP.NET MVP
http://www.markrae.net
"George Ter-Saakov" <gt****@cardone.comwrote in message
news:Oh**************@TK2MSFTNGP05.phx.gbl...
>>Well if application is precompiled
Even if it is, a page with inline code would still run, right...?
It will not. It will give you an exception. "Application has been
precompiled and you can not change it" (something like that).
OK. Thanks for that...
--
Mark Rae
ASP.NET MVP http://www.markrae.net This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Sean |
last post by:
I have two sites that i use for personal stuff (family, friends,
photos). They are PHP sites butim not a programmer. They were setup
by a friend who no longer helps with them. There are some...
|
by: Mudge |
last post by:
Hi,
I want to build a Web site using CSS, HTML, and PHP. I noticed that a lot of
other Web sites use a lot of graphical pictures, logos, icons, etc to give
the page a certain look. It's part of...
|
by: Robert Oschler |
last post by:
Hello,
I've been perusing a book on Zope I have, and I'm still not quite "getting
it". Can someone give me the URL's of 2 or 3 top-notch sites built upon
Zope, so I can see what it's really all...
|
by: bob_smith_17280 |
last post by:
Hello,
I'm doing a small website survey as a consultant for a company that has
a large private lan. Basically, I'm trying to determine how many web
sites there are on their network and what...
|
by: RFox |
last post by:
I date back to the early days of the web when HTML was limited
but very managable, and have always maintained that hand-coding
HTML gives you far better control and cleaner HTML markup than
any...
|
by: hospedagem de site hospedagem de sites |
last post by:
Tudo sobre hospedagem de sites , planos profissionais , economicos e
muitos outros , sua empresa na internet por apenas 2,99 ao mês!
http://www.hosting4u.com.br
hospedagem hospedagem...
|
by: FindJobEasy.com |
last post by:
With so many job sites on the internet, it is almost impossible for you
to search them all.
http://www.findjobeasy.com
is a job search engine. Multiple job sites will be searched just by one...
|
by: Tobin Harris |
last post by:
Hi there,
I've been looking at the out-of-the-box eCommerce sites recently. We're
hoping to save some time and money by using an existing product as a
starting point. My clients needs are quite...
|
by: Goofy |
last post by:
We are going to be using PDA's running windows Mobile 5 soon and I have been
asked how we can use a dynamically built forms on the server which will work
with both normal web browsers and PDA's...
|
by: Stuart Ferguson |
last post by:
I have 2 web sites which are a login page on one web site and the core
of my application on a second website.
I am looking for a simple way to pass the login information securely
between the two...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
| |
