Licensing: Managing Concurrent logon in a web application
7 views
Skip to first unread message
Paul Kinlan
Aug 14, 2008, 8:53:08 AM8/14/08
to liverpoolus...@googlegroups.com
Hi,
We have a asp.net application which has licensing aspects that mean we have to only allow a user to logon once per session, that is, in theory a user can't login to the application from another machine at the same time.
What experiences have people had (if any) managing this type of licensing? Our solution (which is flawed) sees us managing a login table that when the user logs out removes their entry, however, being browser based we can't determine if a user instance crashes on the browser side, closes the browser between page navigations or something else happens that means we can't detect a user logging out.
Paul.
We have a asp.net application which has licensing aspects that mean we have to only allow a user to logon once per session, that is, in theory a user can't login to the application from another machine at the same time.
What experiences have people had (if any) managing this type of licensing? Our solution (which is flawed) sees us managing a login table that when the user logs out removes their entry, however, being browser based we can't determine if a user instance crashes on the browser side, closes the browser between page navigations or something else happens that means we can't detect a user logging out.
Paul.
Thom Shannon
Aug 14, 2008, 9:17:07 AM8/14/08
to liverpoolus...@googlegroups.com
rather than try to detect a user logging out, when the same user logs
in somewhere else terminate the first session, so on the next request
they're denied.
--
*** OPEN COFFEE - http://upcoming.yahoo.com/event/833196/ ***
Terms & Conditions Apply: http://www.glow-internet.com/home/terms.aspx
Glow New Media
t: 0151 707 9770
m: 07730 987 574
www.glow-internet.com
Suite 712 Gostins Building
32-36 Hanover Street
Liverpool
L1 4LN
Map: http://tinyurl.com/2f5nxd
*** OPEN COFFEE - http://upcoming.yahoo.com/event/833196/ ***
Terms & Conditions Apply: http://www.glow-internet.com/home/terms.aspx
Glow New Media
t: 0151 707 9770
m: 07730 987 574
www.glow-internet.com
Suite 712 Gostins Building
32-36 Hanover Street
Liverpool
L1 4LN
Map: http://tinyurl.com/2f5nxd
Paul Kinlan
Aug 14, 2008, 9:22:41 AM8/14/08
to liverpoolus...@googlegroups.com
cool, that's along the lines that we were thinking for a possible solution, the problem being that we would have to check the login table each time a page is loaded and also the same user is allowed to login multiple times if it is actually them on the same machine.
I was wondering if we could reliably ascertain the user from browser attributes?
I am arguing that we just get rid of this whole requirement ( and thus remove a lot of code ), and monitor user usage to see if there is much over lap of concurrent logins and talk to the clients to say they violating the licence.
Paul.,
I was wondering if we could reliably ascertain the user from browser attributes?
I am arguing that we just get rid of this whole requirement ( and thus remove a lot of code ), and monitor user usage to see if there is much over lap of concurrent logins and talk to the clients to say they violating the licence.
Paul.,
2008/8/14 Thom Shannon <th...@glow-internet.com>
Thom Shannon
Aug 14, 2008, 9:42:20 AM8/14/08
to liverpoolus...@googlegroups.com
cool, that's along the lines that we were thinking for a possible solution, the problem being that we would have to check the login table each time a page is loaded and also the same user is allowed to login multiple times if it is actually them on the same machine.
you could do it in memory. If they're logging in on the same machine
wouldn't it be the same session?
I was wondering if we could reliably ascertain the user from browser attributes?
as in to identify them? tying the account to a machine? You could do
that with a cookie but then the cookie could be copied, there isn't
anything you can really do to uniquely identify a browser.
I am arguing that we just get rid of this whole requirement ( and thus remove a lot of code ), and monitor user usage to see if there is much over lap of concurrent logins and talk to the clients to say they violating the licence.
I guess that depends on the size of the user base and whether you've
got the resources to manage them all like that, it's probably the best
idea though!
Paul Kinlan
Aug 14, 2008, 9:59:02 AM8/14/08
to liverpoolus...@googlegroups.com
sessions aren't guaranteed to be on the same machine (web farms etc), we don't use a shared session either, and also each time you log in from a different browser instance you would get a new session id........ in short it is a PIA! :)
We were thinking a cookie too, it is unlikely that our clients would duplicate them, however your right, if they wanted to abuse the licensing they could and probably would just copy the cookies.
The resource at the moment is taken up by constantly deleting entries from the login table when it breaks.... the thing is though clients are enteprises and buy large sets of licences so we could easily tell if they were abusing the system, a large company buys one licence.... hmmm.... suspicious. :)
I heard there is a company that takes 52 unique attributes to identify a person, so I was wondering if there is something similar that we can do. We already have forms authentication validation using a variety of factors...... .... .. we should probably extend that.
Paul.
We were thinking a cookie too, it is unlikely that our clients would duplicate them, however your right, if they wanted to abuse the licensing they could and probably would just copy the cookies.
The resource at the moment is taken up by constantly deleting entries from the login table when it breaks.... the thing is though clients are enteprises and buy large sets of licences so we could easily tell if they were abusing the system, a large company buys one licence.... hmmm.... suspicious. :)
I heard there is a company that takes 52 unique attributes to identify a person, so I was wondering if there is something similar that we can do. We already have forms authentication validation using a variety of factors...... .... .. we should probably extend that.
Paul.
2008/8/14 Thom Shannon <th...@glow-internet.com>
Thom Shannon
Aug 14, 2008, 10:14:44 AM8/14/08
to liverpoolus...@googlegroups.com
do you route requests in the same session to the same node? is that
based on the asp.net session cookie? You could route them based on the
user id then they would be on the same machine.
I've tried to identify a user without cookies before, using a combination of ip address and user agent string, it's not very robust but worked ok for what I needed. The problem is that users in the same company are very likely to appear with the same ip and identical user agents, along with the same screen resolution and anything else you may be able to detect. If you wanted you might be able to disassemble the packet headers and get the mac address of the machine inside the network, lol :)
I've tried to identify a user without cookies before, using a combination of ip address and user agent string, it's not very robust but worked ok for what I needed. The problem is that users in the same company are very likely to appear with the same ip and identical user agents, along with the same screen resolution and anything else you may be able to detect. If you wanted you might be able to disassemble the packet headers and get the mac address of the machine inside the network, lol :)
Paul Kinlan
Aug 14, 2008, 10:29:24 AM8/14/08
to liverpoolus...@googlegroups.com
unless they are NATing and all using the same MAC address.
To be fair we can have server affinity, but I am pretty sure that if you have a completely new IE instance it won't share the session cookie from another instance so we couldn't easily shut another session down (not that I know anyway) ..... don't think we store the cookies for any amount of time for information security reasons.
To be fair we can have server affinity, but I am pretty sure that if you have a completely new IE instance it won't share the session cookie from another instance so we couldn't easily shut another session down (not that I know anyway) ..... don't think we store the cookies for any amount of time for information security reasons.
Reply all
Reply to author
Forward
0 new messages