How to catch user closed window without logging out of application - asp.net

My requirement is user should not log in from multiple browser or system simultaneously in application. For this I maintained the flag in database, so whenever user is logged in I am updating flag as yes and when he logged out I am updating it as no.
My issue is if user close the browser window without logging out from application then I am unable to update the flag. So next time when user try to logging in application, It is saying user is already logged in.
I tried using Onbeforeunload event in master page, but whenever I am changing the menu in my application. It is firing that event. For updating the flag I used page methods. But this is not working properly.

I would say, send often via a ajax call to your API that a 'ping' to confirm you are still online. If there is no ping or page change after 3 minutes, I consider the user has been logged off and it sets him as "logged off" in database.
At least, I do this using javascript, but i'm sure you can also in your client-side part of the ASP.NET app you are making.

You can't handle this only by client-side code, using e.g. beforeunload, because the page/browser may be closed for many reasons (e.g. lack of electricity).
What you can do is:
Scheduler on your backend which verifies whether an user did some action since e.g. 1min. In that case you have to update information about user action in your DB after every ajax requests (Hugo Regibo suggested ping requests).
Disadvantage od this solution is this period - when an user turns off the page then he will be not able to log in again for 1min.
Instead of a scheduler you can verify logged-in users (I assume you keep them in a DB table) after each requests.
Use web sockets, you will have continuous connection and you will be notified about closed connection immediately. Disadvantage of this is web sockets don't scale so good as stateless HTTP.
Besides that I don't know whether you use iis with a session provider or not? And when an user closes the page and opens it again should be able to log in with his saved credentials. You should write more of how your project looks like.

I would do it by saving a Session object for each login call. A session ID would then be stored in the user's cookie or authentication token. Each call to the system would validate the user via their session ID. If that session has been invalidated, they just get sent to the login prompt. Whenever the user logs in, it invalidates all of their other sessions.
This way the user could be in their browser on their machine, navigate away, close the browser, and come back to find their session still alive without having to log back in. But, if they log into another machine, then their old session would be invalidated.

Related

MVC manage session

I am using an MVC app to manage authentication. The issue I have is with chrome because it never actually kills the session because it runs in the background after it closes by default. I do not want to enforce all the end users to change this setting because then it will kill hangouts etc.. So I am wondering if I can use any standard web.config setting to handle this or do I need to make an ajax polling interval to keep updating the cookie expiration?
The ASP.NET session consists of 2 components the client-side http session cookie and the server's session storage provider. Suppose user has SessionId 1. If you delete session 1 from the server, the user returns and a new session is created with SessionId 1. If the user deletes the session cookie, the server keeps running session 1.
What you're asking for is generally not possible. There's no way you can force a user to send a request to your server when they are exiting your site or the browser. There is the javascript beforeUnload event which in some situations would allow you to send a request to /sign-off in some situations. The obvious limiter is no network access = no message.
The standard resolution for orphaned sessions is for session scavenging policy to clean them up. Some developers choose to use persistent storage to eliminate scavenging altogether such that a shopping cart would never disappear.
The only reasonable solution (which is still overkill) that would reach your goals. You use SingalR for a persistent connection of the user to the server and you ping them from the server. If the connection fails to respond you abandon the session. This will be a fragile process and if you don't make very very sure the user is disconnected you will have lots of support calls from users wondering why they are continuously logged out while browsing your site on cell phone.

Session variable dropped .net

I have a web application (.net VB code) that utilizes session variables to store the username (here login name) and the profile (admin/client), authentication is handeled by asp membership. The application then relies on these session variables on the load events. This application has been running fine for a couple of years. However, recently users complain about occasional error messages after logging in and attempting to load a new page that needs one of these variables. It happens most frequently Chrome, but also IE and Firefox.
Users that experience the error need to log out and clear the browsing history, after that it works again. The error is not easy to replicate - I was able to trigger it on my machine 'violently' using the 'back' button a couple of times that eventually tripped it - then I had to clear my browsing history to get the application to work again.
What might cause this to happen?
the session gets set on the load event of the 'login' page with 'Session("Type") = "Admin"' and subsequent pages check for the value of Session "Type"
I understand that I could use a cookie instead, but I chose not to for security reasons. Could this be prevented using a cookie instead? or do I need to use the membership.getuser method to get the username and then look up the values in the database? That does not seem efficient.
Ideas?
FYI, the ASP.NET Session ID is stored in a cookie that travels back and forth with each request/response. The actual session state values for a given session are not stored in cookies ... they are stored on the server only. They could be stored in memory, or in a SQL database, depending on how you've configured ASP.NET Session State.
But Session State can get destroyed for a variety of reasons. IIS might suddenly decide to restart your Application Pool, for example, in which case all your Session State would be gone.
Basically, you need to write your web app to always handle the possibility that Session State may be empty. If it is empty, then you probably need to redirect the user to the login screen to enter his credentials again.
Clearing the browsing history should have no effect, so I can't explain why that would help get past the problem.

Worklight keeps HTTP request active when user is logged out

I have an issue with Worklight 6.1. I will describe the scenario below:
User logs in the app and a new session is created for him. Then he stays inactive for some time until the session times out. When clicking on a button, an HTTP request is performed towards an HTTP adapter. However the Worklight server (Liberty) sees that there is no active session for this user and returns the appropriate response that the user is logged out and the user is redirected to the login page. This is correct up to here.
When the user logs in again and is redirected to the landing page, the previous request seems to have been cached and is performed resulting in an error as the necessary information is not yet available. How can I prevent this request from occruring when the user re logs in?
Thank you.
it's not possible to prevent the original request from re-sending after authentication.
The logic of the authentication and the logic of the application are separated and the result of a successful login will be the invocation of the original failed invocation.
What you can do is add to the adapter procedure implementation the logic that makes sure all the information is available, and if not - send an empty response to the client and in the client do whatever you want to do when the data is missing.
This should be done for all the procedures that rely on the session state.

Managing Session Timeouts in ASP.NET when using ASP.NET GenericHandlers

For example I have a web application using jQuery as a framework on the client side. Now most of the pages are functional by means of using AJAX and communicate to the server by means of using Generic Handlers (.ashx).
Now I have a problem that I am asking this to see what is the best solution for handling these request when my user session expires.
For example, a user logged in, left his browser for 15 minutes and then he pressed a button that this will create a request to the handler, now from the server side when I try to read a session variable obviously it will be empty (session expired). What is the best way to redirect the user back to the login page.
We address this situation by a slightly different approach. Instead of trying to make all the jQuery calls deal with this kind of error condition, we have implemented a parallel timeout system on the client using javascript. A minute before the ASP.NET Session would time out, we pop up a dialog on the browser to warn the user "You have been inactive and are about to be logged out. Click here to remain logged in." We included a little countdown in the dialog also. If they click to stay logged in, we send another jQuery call to the server to reset the session timeout.
So, unless the user has javascript disabled (in which case, the app doesn't work anyway), there is not a possibility that we make a jQuery call after the ASP.NET session has timed out.

How to clear SSL state in browser when user's session expires?

I'm working on an ASP.NET application where our users authenticate using client certificates over HTTPS. Our users are only using IE7.
Once a client certificate has been used to authenticate successfully it stays in the browser's SSL cache until the process is closed or the user manually clears the SSL cache. We want to be able to clear the SSL cache whenever a user logs out, or their session expires, to improve the security of the system.
Our clients already use smartcards to access the system, which unload certificates automatically when the card is removed from the client computer, but this does not clear the browser cache at all, leaving a potential avenue of attack from another user who had access to the same machine as the genuine user.
I've found out how to do the actual cache clearing from JavaScript:
document.execCommand("ClearAuthenticationCache");
which works perfectly when a user explicitly logs out, as we can execute the script on the client before allowing the user to log in again.
NOTE: IE7 only lets the cache be cleared programmatically when HTTP Keep-Alives are disabled on the web server.
Here's the tricky bit - if a client's session expires, I don't know of any way to handle this in the browser before the user tries to login again. I can't clear the state when they get to the login page, because I need the state cleared and a new certificate chosen before the page executes on the server.
Any ideas? Apologies for length of question, but background is important for this one.
Never mind, I came up with a good solution:
When the user successfully logs in, we create an additional session cookie that doesn't expire until the browser is closed.
If the user comes back to the login page later and the request is unauthenticated, we check for the existence of the session cookie - if it exists, we know that the user has previously had a session, so we explicitly log them out, exactly as we do for the user-initiated logout. If the session cookie doesn't exist then we attempt to automatically log the user in using their certificate.
The custom session cookie is deleted for each explicit log out, and re-populated for each successful login.
This gives us the best experience for the user, and guarantees that a certificate will be cached only as long as a session is still valid (15 minutes, sliding). Also, the session cookie cannot be removed by the user so there is no way to bypass this behaviour. They can't use the site without accepting session cookies either.

Resources