L
Liam
We are using cookieless sessions with the session id automatically
embedded in the URL, e.g.
http://ourdomain.com(ixbradnm5qmdfwikrt1mcfi3)/somepage.aspx.
This is an internet application and we're using the anonymous built-in
ASP.NET system account.
When an internet user comes to our main page, they provide a username
and password. We authenticate the username and password by reading a
record in our SQL Server registration database, and if there's a match,
we let the user in the door, so to speak. We assign a session variable
with the person's registrationid from our database, and we also retrieve
some facts about the user (their employer, their interests, other
demographic data they've supplied when registering) which allow us to
dynamically configure content for them. Thus, we want each user's
session to be unique to that user and not "shareable".
However, sometimes a user, when they find something of interest on our
site, will email the URL containing the embedded cookieless session id
to their colleagues. If their session hasn't timed out and their
colleagues click on the link, the colleagues end up piggybacking on the
first user's session, so to speak.
Is is possible to programmatically identify this scenario so the session
could be terminated when another user is piggybacking on an existing
session?
Is there some built-in authentication appropriate to an app that uses
the anonymous ASP.NET account, which we could use in addition to the
validation we perform against our registration database? Something that
would tie the session id to the first user's browser, so that the same
session id would simply not work in another browser?
Thanks
Liam
embedded in the URL, e.g.
http://ourdomain.com(ixbradnm5qmdfwikrt1mcfi3)/somepage.aspx.
This is an internet application and we're using the anonymous built-in
ASP.NET system account.
When an internet user comes to our main page, they provide a username
and password. We authenticate the username and password by reading a
record in our SQL Server registration database, and if there's a match,
we let the user in the door, so to speak. We assign a session variable
with the person's registrationid from our database, and we also retrieve
some facts about the user (their employer, their interests, other
demographic data they've supplied when registering) which allow us to
dynamically configure content for them. Thus, we want each user's
session to be unique to that user and not "shareable".
However, sometimes a user, when they find something of interest on our
site, will email the URL containing the embedded cookieless session id
to their colleagues. If their session hasn't timed out and their
colleagues click on the link, the colleagues end up piggybacking on the
first user's session, so to speak.
Is is possible to programmatically identify this scenario so the session
could be terminated when another user is piggybacking on an existing
session?
Is there some built-in authentication appropriate to an app that uses
the anonymous ASP.NET account, which we could use in addition to the
validation we perform against our registration database? Something that
would tie the session id to the first user's browser, so that the same
session id would simply not work in another browser?
Thanks
Liam
