I'm the new here.
I've a problem like this: I create a Register page in ASP.NET (C#) which allow to guest can register an account at my site. All user must active their account before using my website, if after 15 minutes, user doesn't active account by mail => delete that user from database, my problem is how to do it automatically?
Rather than using a timer to remove a user, I would use a more conventional approach of having an expiration time for the user (or perhaps their password). That is, when they first register, assign an expiration for 15 minutes after the present time (e.g. in a column ExpirationDate in the user table). In your authentication process, the logic should validate that the user's ID has not expired.
The problem with using a timer is that many things can go wrong. For example, if your application restarts, any active timers will be lost. It's very brittle. It's also kind of using a hammer to kill a fly. It's not necessary to ensure that someone's user record is removed immediately from the database after 15 minutes. It's only necessary to make sure they can't authenticate after that time. So make the design match the business purpose in the easiest possible way. If you really want to delete records (rather than, say, give them a chance to try again after resetting a password or something) then you can do this with some external maintenance process.
Related
If the user is logged in already and trying to login again in a different device or browser then need to logout the existing one
I am using Identity Server 4 in my application.
Which mechanism or steps we can use to achieve this one?
My startup code:
services.AddIdentity<UserIdentity, UserIdentityRole>(options =>
{
// Basic built in validations
})
.AddEntityFrameworkStores<IdServerDbContext>()
.AddDefaultTokenProviders();
Any help would be appreciated
Thanks in advance.
I remember that I was thinking about a similar feature for a website I was developing, that also used Identity Server. If I recall correctly then there isn't anything for this built into Identity Server. But, that doesn't mean you can't code it.
One way would be to keep a integer based log-in counter for the user and increment that each time the user signs in.
Let's say, Bob, signs in on his phone. This is the first time he signs in, ever. Bob's record in the database, has a column that is called SignInCounter and it's now set to '1'.
Now if Bob signs in on his PC, let's say an hour later, we set the SignInCounter to '2'.
Now all you need to do is check whether the claim value for SignInCounter matches the value that's in the database. It can easily be done on a per-request basis, by using middleware. If it doesn't match, show an error page, sign-out the user, what ever fits your case.
I really wouldn't recommend this though. It doesn't scale and also generates +1 database call per request, but hopefully this gives you a general idea how to solve the problem.
I looked around for this issue and have found two approaches: use a database table to log users logging in and remove the entry when they log out or session ends; or use Membership.GetNumberOfUsersOnline(). I tried Membership version first but when I log in it shows the number to be zero (I am using form-based authentication, using AD in in Intranet web application and using Oracle DB).
I also created a table having user's ID (what is stored as aspnet_user's username), their aspnet_user's userid, login time stamp and logout time stamp. When user logs in, I add an entry and when users logs out, I remove the entry. The problem here is if session ends and Session_End() event is called I have no way of accessing user's ID (stored in session var) in order to remove the correct entry from table.
In membership, it records certain dates when you login and create activity that update the membership user, and I think the default behavior is to use that... if you are using a custom membership provider, make sure that default behavior is preserved.
Alternatively, if you want to roll your own, to determine number of users online, everytime the user takes an action that posts back, update the time on the user record, and then create a query that checks within a relative amount of time. Session_ENd is not a perfect way to determine if a user is online or not, because it may not always fire. User's don't always click the explicit logout button too, so that may not be a good indicator as well. But since session is 20 minutes, checking where an activity occured within the last 20 minutes is a rough indicator of logged in users...
I am trying to find out in my asp.net application the users that are currently logged in the application by searching on the session info. Currently, I am only able to see my current session, but I cannot find out if there are other users using it. Is there a way to see if there are other users using the application by looking at the session information
Session state is per user - Application state (global) seems to be what you're looking for.
There are 2 hashes Session and Application, in which you can store key-value pairs.
A way to do it would be to update Application[UserNamesList] whenever there is a successful login. This would then be visible to all users. Application state would however be lost whenever the App Web Server recycles or restarts... but that shouldn't be a problem in this case.
A session is supposed to only give you information about the currently logged-in user.
If you need to keep track of all logged-in users, you could consider writing the users into a global variable. Here is info on how that works. Note that sessions expire. You would have to write, for each user, the time the user was last seen (i.e. each time they hit a new page, update their record). When the time they were last seen is greater than your session timeout, it's safe to assume they are no longer logged in and you can remove them from the list of current users. If they just up and close their browser, you will not be alerted and you will still think they are logged in even though they are not.
How do i keep checking if a user still is active, for like every 1 minute? I need to know which user is currently active and who is not! I'm not using ASP.NET membership provider!
Lets say, maximum 3 log in are allowed for one user to log in simultaneously from 3 different locations, if the same user, which is the 4th log in, try to log in from another location again, i would like to block the 4th log in.
I have few issues regarding this as well! If the user unplug the connection cable or close the browser, how do i figure out if the user is still active?
I would need more detail about exactly what you are trying to accomplish, as you have asked a fairly vague question. However, I would think the best way to determine if a user is active is to check if their ASP.NET session is still alive. There is no "accurate" way to test if a user is still browsing your site, because they could be sitting there reading, or be AFK, or be in another program on their computer...dozens, if not hundreds of scenarios could exist on the client side.
However, the user's ASP.NET session will only live for a specific period of time between each activity from the user (GET, POST, etc.) Usually after 20 minutes, ASP.NET will clean up the users session, and when it does, it will fire a Session_End event that can be handled either in Global.asax, or with a custom HttpModule. You would then be able to flag that user as inactive in your own database, send an email, or do whatever it is you need to do.
You can use the HttpResponse.IsClientConnected property to check if the user is still conncted to the session. For details see this -->
http://msdn.microsoft.com/en-us/library/system.web.httpresponse.isclientconnected.aspx
Alternatevely, you can set a counter at Session_OnState at global.asax to check for the active session available and do your stuff based on that.
I've got an existing site I'm taking over, and right now it stores, in a session variable, the id of the currently logged in user (if logged in at all -- otherwise I'm sure it is empty string or null or something).
The client now wants, after someone is logged in, to "keep" them logged in on that computer for an indefinite amount of time.
ASP.net Sessions have a maximum idle time of 1 day, I believe. The website isn't written all that well in the Flash portion (whole front end is flash) and the flash will process a login, then, as long as the flash isn't reloaded, assume that the user is still "logged in".
I think my solution is to ALSO store a client side cookie with some GUID value and hold in the database the associated user id...sort of like a session that never expires. So, when the page is loaded, I can check my cookie, use that to select the userid out of the database, and if we find one, then set the session value that says user 23 is logged in.
Does anyone see any issues with this perspective? Would you recommend something different? I really don't want to refactor a bunch of the existing code, but just slip this in on top...
PS -- security is not really a concern. The only reason they have people log in is so we can track orders by a person, but no money changes hands through this website. There is also no personal information that a user can view or edit, either.
This is how I do it. I actually have a cookie that holds their login and password, this way I can automatically log them in should they not be logged in. I expire the cookie after a couple of days of inactivity. The downside is that everyone forgets their password because the only time they really have to enter their password is when they come back from extended time-off.
This is for an internal application, with the same customer demands that you have and this works ... and makes the customer happy.
One thing we may end up doing is just using Windows authenication, might actually work better in this circumstance.
That's the way I do it, but the problem with it (at least I think its a problem) is that when you store the username and password in a cookie there is not any encrypting when you add the cookie. If you look at the cookies in your browser the username and password are displayed there plain as day. Is it possible to get some kind of encrypting on the cookies you store? Or how would you handle this?
Check this blog posting out http://timmaxey.net/archive/2009/03/06/asp.net-cookie-auto-log-in.aspx basically you needs to save the cookie with a guid a series, and a token, the token, in my case, changes all the time, the series is something that is generated based on something, like the guid and id combo or whatever, then the guid is always stored with the user. There is a cookie table to stored this info etc... pretty secure, not 100%, but pretty good... Tim Maxey
I recommend using the Enterprise Library Crypto App Block to store an encrypted cookie which is nothing more than a GUID. Get the GUID, and use a session table in the database to track user info.
At the session start event, get the user info and cache it.
Using the session object is not recommend for user info because it won't work on a web farm, unless you use a database for session state.
You're basically rolling your own session state at that point, and I'm fine with that. However, I would not go the route of storing the username/password in a cookie (even if encrypted). There's no way to expire that from the server-side. You can always remove your row in the table to force a user to log in again, but if they hold the username/password they hold the keys to the kingdom.