Number of users

[David Thielen]

7. How do I get the number of users logged in (we will limit the number based
on a license key)? And how do I set how long they have to be idle before
being automatically logged off?

Again, this is for both windows authentication and
AspNetSqlMembershipProvider.

 

[Steven Cheng[MSFT]]

Hi Dave,

As of gettting the numbers of the current online membership users, the
ASP.NET Membership class has a "GetNumberOfUsersOnline" function to do this
task.

#Membership.GetNumberOfUsersOnline Method
http://msdn2.microsoft.com/en-us/library/system.web.security.membership.getn
umberofusersonline.aspx

And based on my research, the SqlMembershipProvider's implementation on
this method is querying the database and compare the LastActiviteDate with
the current Time minusing a certain timespan, This timespan is configurable
through the "userIsOnlineTimeWindow" attribute inthe <membership> element.
Also, you can have a look at the "
aspnet_Membership_GetNumberOfUsersOnline" store procedure in the sql
membership database for detailed code logic.

#membership Element (ASP.NET Settings Schema)
http://msdn2.microsoft.com/en-us/library/1b9hw62f.aspx

Also, as for forms authentication, if you're not using persisted cookie,
the timeout of the authenticated token(by default store in cookie) is
specified through the "timeout" attribute in the
<forms > setting:

#forms Element for authentication (ASP.NET Settings Schema)
http://msdn2.microsoft.com/en-us/library/1d3t3c61.aspx

Hope this helps.

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[David Thielen]

Hi;

Is there any way to get this in the windows authentication mode? I am
guessing no since there is no DB involved.

And if not, is there a hook where I can get a call each time a user requests
any page so I can then track last access for windows authentication?

 

[Brock Allen]

And if not, is there a hook where I can get a call each time a user

requests any page so I can then track last access for windows
authentication?

In global.asax you can have an event called PostAuthenticateRequest which
is the step in the ASP.NET plumbing where the user is known. This executes
prior to the pahe being executed so if the users have exceeded their allowed
access you can terminate the request via HttpContext.Current.ApplicationInstance.CompleteRequest().

-Brock
http://staff.develop.com/balle

 

[David Thielen]

Hi;

This does look like the place to see if this user is 1 too many. But how do
I tell if a user that was authenticated 2 hours ago has been hitting the site
every 5 minutes since then - or never again?

Is there a way to set the session length and get an event when it times out?
And once that happens, will they then hit this authenticate event again when
they go to the site again?

 

[David Thielen]

Sorry - another question.

Ok, so they are user N+1 - I need to send them to a page to tell them that.
How can I set up my site so they can only go to that 1 page?

 

[Steven Cheng[MSFT]]

Hi Dave,

As for windows authentication, it has different authenticate mechanism
which is quite different from FormsAuthentication(Membership service), it
depend on the windows authentication in IIS and the token forwarded from
IIS. And windows authentication doesn't use cookie to cache the
authenticated user token on client-side. And the "PostAuthenticateRequest"
event of the HttpApplication(global.asax) class Brock mentioend is one
possible place to hook he authentication event for each comming ASP.NET
request.

And as for
==============
Is there a way to set the session length and get an event when it times
out?
And once that happens, will they then hit this authenticate event again
when
they go to the site again?
==============

I'm afraid there is no such event which will actively call you when a
certain authenticated user's "logon session" has expired. Because for
windows authentication ,there is no such timeout, the session ended after
each request finishes. While for formsauthentication, the authenticated
token is stored in client-side cache, therefore only when the user request
the application again, the applicaiton has chance to check its token in the
cookie, if invalid(expired or corrupted), redirect the user to the login
page.

I'm still not quite clear on your new questions (below), would you provide
some further explanation?

==================
Ok, so they are user N+1 - I need to send them to a page to tell them that.
How can I set up my site so they can only go to that 1 page?
=================

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[David Thielen]

Hi;

What I need to do is as follows. When we ship our product, a customer will
purchase it based on the number of concurrent users. So if they purchase a 5
user license, we allow 5 users maximum at the same time. If a 6th user tries
to access the portal, we don't allow it.

So when a user first connects (for windows authentication as you pointed
out, they don't really login, they just connect), we need to then track that
we have 1 user. If they don't request any page for N minutes, then we no
longer count them and the number of users connected drops by 1.

We need to do this for both windows authentication and forms authentication.

I was hoping that the session object that is created for each session had a
timeout that could be set and was generally 20 or 30 minutes. Then if we
could get an event when it is first created (to disallow the session if there
are alread N user sessions), and when it is destroyed (to drop the user
count), then we could implement this using those events.

Do you have a suggestion as to how best to implement this?

 

[Steven Cheng[MSFT]]

Thanks for your response Dave,

As for your scenario, if you're using formsauthentication with
membership(such as SqlMembershipProvider), I think you will need to extend
the SqlMembershipProvide, add some custom field for the Membership user.
For example, you may consider add a company or license id so that we can
add new functions like "GetAllOnlineUsersByCompanyID" or "xxxbyLicenseID"
(it rely on underlying Stored procedure or T-SQL statement in database...).
And we use this info together with the default membership User's IsOnline
field to check whether a certain client user/company or license has exceed
its concurrent (online) limitation.

As for windows authentication, I'm afraid I don't think this is easy to do
it . Is it used in intranet scenario if using windows authentication?
Personally, I don't think we can track a windows user's online status
through ASP.NET code. The only thing I can get is track the client user in
HttpApplication's events. For example, we mark a windows user as active
when found it in the HttpApplication.AuthenticateRequest event, and remove
the mark in the "ReleaseRequestState " event (or any other event):

#HttpApplication Events
http://msdn2.microsoft.com/en-us/library/0dbhtdck(VS.80).aspx

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Steven Cheng[MSFT]]

Hi Dave,

How are you doing on this, have you made the decision on how to implement
this part? Please feel free to post here if there is anything we can help.

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[David Thielen]

Hi;

I'm still trying different things. Will let you know.

 

[Steven Cheng[MSFT]]

Sure Dave,

Please feel free to let me know if you meet any further difficulties or
questions so that we can discuss together.

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)