Track a session user

[tshad]

If I am using FormsAuthentication, is there a way to check who is logged in?

I want to be able to check at any particular time, not just how many people
are logged in, but who they are.

One thing I want to do is not allow someone to log on from one browser and
then log on again at the same time time from another browser. Or to prevent
someone from using the same login at the same time.

Thanks,

Tom

 

[Sacha Korell]

Hi Tom,

I'm actually working on the same problem at this time and found some good
articles:

http://www.eggheadcafe.com/articles/20030416.asp
http://www.eggheadcafe.com/articles/20030418.asp
http://www.aspfree.com/index.php?option=content&task=view&id=2118

All articles use a similar technique whereby you store the current user's id
in application cache when they log in and remove it when they log out and it
works fairly well.

The only problem I have now is that my customer wants a user to be logged
out of the system when he uses the same browser to navigate to a different
website (without logging out). I other words, if the user navigates to a
different website and uses the back button to get back to my application, he
should have to log in again.

Sacha

 

[tshad]

Hi Tom,

I'm actually working on the same problem at this time and found some good
articles:

http://www.eggheadcafe.com/articles/20030416.asp
http://www.eggheadcafe.com/articles/20030418.asp
http://www.aspfree.com/index.php?option=content&task=view&id=2118

All articles use a similar technique whereby you store the current user's
id in application cache when they log in and remove it when they log out
and it works fairly well.

I'll read those.

I also need to take into account when the session times out. I was looking
at putting a variable in the Application (global.asax) and track that each
time a person logs in. But I ran into problems about when do you take it
out? What if the user never logs out? What about the time out I mentioned?
I would need to know when to remove him. That's why I was looking at the
FormsAuthentication, since that is being kept track of anyway.

The only problem I have now is that my customer wants a user to be logged
out of the system when he uses the same browser to navigate to a different
website (without logging out). I other words, if the user navigates to a
different website and uses the back button to get back to my application,
he should have to log in again.

That would be a problem for use also.

Thanks,

Tom

 

[bruce barker]

FormsAuthentication and Session are not related. you can run one without the
other and they perform different functions.

FormsAuthentication stores a security token in a cookie, and sets it for a
onetime browser session (the browser decides when to expire it).

Session Managers store session data somewhere and store a key in a cookie.
every page hit the cookie expire is updated. if you use the inproc session
manager, it times out the session and releases the session data. in some
cases the session manager may expire the data before the browser expires the
cookie.

as web sites are stateless, it hard to detect who is logged in or not. some
problems you will run into trying to track logins:

1) user navigates from site or closes browser - the server does not know
this, you have to write client code to try to detect and inform the server.

2) if the user creates a new browser window thru the file new window - it
gets the same cookie, so the server does not know two browser are talking to
it.

3) due to nat firewall translation, the ipaddress of the client may change
between page requests.

4) an asp.net recycle clears data stored in Application and inproc sessions


-- bruce (sqlwork.com)




| If I am using FormsAuthentication, is there a way to check who is logged
in?
|
| I want to be able to check at any particular time, not just how many
people
| are logged in, but who they are.
|
| One thing I want to do is not allow someone to log on from one browser and
| then log on again at the same time time from another browser. Or to
prevent
| someone from using the same login at the same time.
|
| Thanks,
|
| Tom
|
|

 

[Sacha Korell]

There's a time out variable in the samples that you can set. I set mine to
the same as the session time out (20 min) so that they tome out at
approximately the same time when the user doesn't do anything.

Sacha

 

[tshad]

FormsAuthentication and Session are not related. you can run one without
the
other and they perform different functions.

FormsAuthentication stores a security token in a cookie, and sets it for a
onetime browser session (the browser decides when to expire it).

But is there a way to query those who were authenticated. I assume the
expiration is set by the timeout value in the web.config file.

Session Managers store session data somewhere and store a key in a cookie.
every page hit the cookie expire is updated. if you use the inproc session
manager, it times out the session and releases the session data. in some
cases the session manager may expire the data before the browser expires
the
cookie.

Does this include postbacks?

as web sites are stateless, it hard to detect who is logged in or not.
some
problems you will run into trying to track logins:

1) user navigates from site or closes browser - the server does not know
this, you have to write client code to try to detect and inform the
server.

2) if the user creates a new browser window thru the file new window - it
gets the same cookie, so the server does not know two browser are talking
to
it.

This is one of the problems I found with Mozilla (Netscape also, I assume).

If I log on using FormsAuthentication, and open a new window (before I close
the first one), I am now in both browsers. Very dangerous if you are trying
to track and control data access.

IE, doesn't do this. A new Browser has to log on again, even if there is
already one open.

3) due to nat firewall translation, the ipaddress of the client may change
between page requests.

4) an asp.net recycle clears data stored in Application and inproc
sessions

I need to find out some way to track who is still around as we have a system
that is set up on the concept of seats. Very difficult to handle if you
don't know who is there (or is potentially there - as you say they could
have closed their browser or left the site). If we allow 10 people access
to certain areas of our site at one time, we need to know who is there.

I know you can't know if someone leaves the site or just leaves turns their
browser off. But if you have a timeout of 20 minutes, there should be some
way of know who has been logged on in the last 20 minutes. I was hoping
there was a way to see if a person was their by their sessions and if their
sessions had expired, they are not there anymore.

Tom