I have a ASP.NET website where multiple users access the site using same user credentials. The site functions fine when used by single user, however when a second user with the same credentials logs in simultaneously and the first user performs any action (clicks any link, selects any dropdown etc.), the first user is redirected to the default/login page. I want both the users to access the site without any trouble.
Can any one comment on why this is happening and how this can be solved.
My guess for the reason of the behaviour would be the authentication method you are using. Probably when the first user logs in he gets a session ID that authorises him for the following requests.
When another user uses the same credentials to log in, different session ID is created for that user so the ID the first user has is not valid any more, and therefore he gets redirected to the login page.
Related
Consider the case of forms authentication with persistent cookies.
If the same user logged in using two different browsers or two different machines, when user logs out from one of the browser/machine, wouldn't still he be able to login from the other browser/machine?
Usually, how do web applications handle this case?
I have to agree with Srinivas for the most part. Here is my take on the subject
On Login create an HTTP Only cookie with a guid generated at login this will be your browser/computer key. Closing browser will remove cookie
Get user id
Persist in the pair in user table ex: user:a, key:12345
On subsequent requests authentication algorithm after user has been authenticated
Get the last used key in the db with current user id
Check that the cookie is present, if not then completely unauthenticate
Check that the cookie value is the same as that in the database, if not then completely unauthenticate
With this method any subsequent login will cause a required reauthentication & invalidate any other authentications. In effect forcing the user to use only 1 browser/computer
I usually do it this way : I have a session column in my user table(in database) When the user logs in I store the value Y in it.I change it to N when he logs out.Every time the user tries to log in, I check the value in the corresponding session column and if it is Y I tell the user that he is already logged in and if it is N then I allow the user to log in. But we have to be careful and set the value to N when the user logs out or closes the browser.
Forms Authentication with cookies (regardless of whether they are persistent or not) is browser session based (persistent cookie would of course work across multiple sessions of same browser (on same user account on same machine). So two browser sessions (or two different browsers or browser on two machines etc) would be treated as different scope as far forms authentication is concerned.
So user can make multiple login from different browser sessions and logout in one will not affect other. Its is up to web application whether to allow multiple concurrent logins for same user or not. For example, online banking sites would restrict to only one user session - so if user logs in from different session then earlier session is invalidated (i.e. user is logged out). One has to write custom implementation in ASP.NET to do so - typical implementation would make every user session entry into database (typically required for audit purposes anyway) - so whenever new entry is added, a check is made to see if there is any active session for same user and if yes then that session is marked inactive. Every request would check if current user session is active or not, if not then it would flag such message to user.
Hi I'm using the FederatedPassiveSignInControl on my asp.net site (called ChildSite) to get an user identity from a STS which is set up on another asp.net site (called ParentSite). The authentication of my site (ChildSite) is set to FormsAuthentication, so the FederatedPassiveSignInControl is located on ChildSite's forms authentication login page.
I have 2 scenarios. In the first the user logs in to ParentSite and continues to ChildSite via a link in ParentSite. In the second the user goes directly to ChildSite and logs in to ChildSite:
Scenario 1:
User opens ParentSite in browser
User logs in to ParentSite
ParentSite displays a link to ChildSite in browser
User clicks link to ChildSite
User goes to child site
Here the user comes to login page.
Wanted behavior is that the user is seamlessly redirected to the requested URL at ChildSite as he has already signed in at ParentSite.
Instead the login page is showed and the user has to click on the FedratedPassiveSigninControl button to retrieve his identity and then be redirected.
I cannot set the FedratedPassiveSigninControl property autosignin="true". It would always redirect the user to ParentSite when not logged in and that would break scenario 2.
I wonder how I detect, or how I get FederatedPassiveSignin Control (or other WIF components) to detect that the user is already logged in, not show FedratedPassiveSigninControl and just forward the user to his requested page.
Scenario 2:
User opens ChildSite in browser
User enters credentials in text inputs at ChildSite and clicks log in.
The requested page at ChildSite is displayed.
Am I missing something here?
Cheers,
mortb
The simplest approach would be to add an additional querystring parameter to your 4th step in Scenario 1 so that when you finally get to your login page, you have an "if" : "if the querystring parameter is present then AutoSignIn = true".
This is known as "home realm discovery" although your scenario is not typical as hrd usually involves two or more stses and here you have to differentiate between the sts and forms authentication.
This looks like a classic SSO scenario. ParentSite and ChildSite should probably be 2 different relying parties. If user goes to ParentSite, then whenever they hit a protected resource (anything that requires user to be authenticated), then they will be redirected to the STS for authentication. A session is established between the STS and the user browser and then and then the user returns to the ParentSite with a valid token (assuming a "happy path").
When they hit a protected resource on the ChildSite (e.g. through a link on ParentSite) they will be redirected again to the STS (e.g. they will be requesting a token specifically for ChildSite, a second Relying Party). This time, because there's already a session with the STS, the authentication step is completed already and a 2nd token is issued. All this works seamlessly for the user.
This chapter of the "Claims Guide" covers this scenario: http://msdn.microsoft.com/en-us/library/ff359102
An additional note: credentials should not be entered in any of the sites, but in the STS.
In my appliation,all pages are protected,so they must login to visit the pages.
And the admin of the system can add users.
Now some people told me that I have to prevent people login at the sametime using the same account.
That's to say if there is a user named "John" logined to the system,so other people cannot login with "John" again event he know the password.
Also,if one user find that someone have logined use the account he wanted,he can make the former user offline. If so I have to judge if the current user have been offed ornot in each page. This is not a work can be done easily.
I wonder if this is necessary?
Since I found so many websites nowdays do not limit this,for exmaple,you can use the same account login your gmail/stackoverflow/yahoo and ect in different machine at the same time.
So Any one can give me a suggestion?
Update:
Now,we use the asp.net's form authenciation,(we do not use the membership yet). And in the t_user table in the databse,we have a column named "isOnline" and "last_login_time".
When user login,we set the "isOnline" to 1,and store the login time.
When another user try to login again,we check the "isOnline" and the time:
if("isOnline"==1 && DateTime.now-LastLogiTIme <40min) // where the 40 min is the form authenaication timeout.
thisAccountHasLogined=true;
But suppose a user logined yet,then he clean the browser cookie,then if he refresh the page,he will be redirected to the login page,but not he can never login again before the form authentication time out because the "isOnline" in the db is 1 and the time span from his login to now does not large than the form timeout.
I am confused.
In some scenarios, I could understand not having multiple logins, but in reality, I have never had to implement it.
Unfortunately, I do not believe there is a standard mechanism for determining if a user is already logged in and this would need to be done by additional logic. In our application, we use a database for storing session information and using this, it would be a simple process to see if a session already exists within this for the user and not allow login if so.
Update
I was interested in this myself and found this;
http://msdn.microsoft.com/en-us/library/system.web.security.membershipusercollection.aspx
and this
http://msdn.microsoft.com/en-us/library/system.web.security.membershipuser.aspx
Using those, it may be possible to get this information with the .IsOnline() However, this does make the assumption you are using standard asp.net membership
the table where you store user name and password add a column status
when a user attempt to login update status to "Online" when logout update status "Logout"
During login check status, if status is online , terminate process. This may be an approch to implement this, hope it will help you
I'm building a web application: some pages will be accessible by non logged-in users (demo and sign-up pages) and others will only be accessible by logged-in users (actual application). In the global.asax file, I'm currently handling the session start event by loading some variable from a query that's based on the UserID. What will happen when a non-logged in user looks at a page? I guess my question is really about how to handle the session start event when it's a logged-in user, when it's not and when a user logs in. I want a certain number of queries to run only once per session, after the user logged in.
Thanks.
I would suggest to implement Forms-Based Authentication, instead of to handle authentication via session. An example can be obtained from here:
http://support.microsoft.com/kb/301240
Don't confuse "login session" with "session state". Session state has nothing to do with whether the user is logged in.
If you want some queries run when the user logs in, you should run them when the user logs in, not in Session_Start.
So its a ASP.NET problem where two users using the same machine, same browser.
User 1 logs in the domain.
User 1 changes some data without saving it.
User 2 logs in the domain in a separate tab.
User 1 switches back to his tab and saves the data.
User 1 actually saved the data into User 2!!
This is caused by the following mechanism:
Different tabs in the same browser seems to share the same session id.
We are storing user auth in cookie and the cookie is shared between tabs (same domain)
Therefore, when User 1 request to save, it is recognized as User 2 since the cookie has been updated to User 2.
So I'm wondering if there's any other methods to prevent this from happening, other than:
1. Use cookieless session so the session is embedded in uri.
2. Always include a hidden field in page to indicate which user owns the page.
Regards,
You could add some fields in the database to track that the user is logged in, and grab their IP address, and restrict access that way.
IE8 has a "New Session" command in the file menu that opens a new window, but that's pretty much like using 2 different browsers.
Hiding the login form until the current user is logged out will raise awareness that another user is logged in but won't prevent the above scenario. If the logout process could refresh each page in the browser on the domain then it might work, although user1 would loose all modified data.
I used the trick of opening a new window with a specific name and always make sure that any page will open always use that window.