Kill ASP .NET user session from admin session - asp.net

I own a gaming website. From time to time I need to suspend users for different reasons. They cheat or they are bad users with bad intention. After suspending users, they can't login anymore on my site, until the suspend period expire.
However, after suspending an user he still can acces the site, can chat with other users, can create forum posts, can do everyting, that's because he remain logged in on the site. I can't do nothing to this and most of the time I need to restart IIS in order to get rid of bad users.
Is there anyting I can do to kill an user session from my ASP .NET session ? I am against using SQL to store user session variables.
I prefer to check an ASP .NET session/application variable on every user request, and if that variable contain the ID of suspended user, to logged out him immediately.

You can't acess the session in the way you want. What you could do is keep a list of suspended users in the application cache. On each page request, and each login attempt, you can do a lookup on the list to see if your current user is suspended. If he is, you can then log him out and abandon his session, or prevent the new login.

Related

Restrict Multiple Login of same user across 2 Web Applications

We have got requirement to restrict concurrent login of same user across 2 Web Applications.
We have 2 Web Applications for example: WebApp1, WebApp2.
User: Dashboard
If Dashboard user is logged into WebApp1 then the same user is not allowed to login to WebApp2 instead show error message on second login.
Tried Solution:
Block 2nd login with same user id if there is an active session and show error message to user.
The idea is to maintain user id, Application Name and session id in DB. On second login of same user check if record exist in DB table against the user id then block 2nd login and show error message to user.
Clear the DB record (UserId, Session Id, and Application Name) in following
scenarios:
Logout
Session Timeout
Restart of Application.
Not Sure how to handle below scenarios.
Close Browser.
Browser Crash
System Crash
If 2nd login request is from valid user then Admin should able to Invalidate the session of first login as this user is attacker.
what is best way to invalidate Http session of WebApp2/ WebApp1?
If you really need to know the state of the first session, I would skip trying to manage sessions in the server, and instead maintain a heartbeat from the client. Have the client make a request every 5 seconds to the server which updates a "Last Seen" record, which includes their IP address and which app they are from, and whether "Last Seen" was a logout event.
Then the other app can interrogate "Last Seen", and if it's more than 5 seconds (I'd actually bump it to 10 for the interrogation), or a LogOut event, assume that the first session went away, and that they are free to log into the second application. If "Last Seen" is less than 5-10 seconds, bump them both out and alert the admin with both the IP Addresses to decide which one should be killed.
In addition to what you have, you could save last activity time in your session DB, and update it, when there is a session update, how often ( every request or once in 5 min for example) it depends on your requirements. Then in case of app/browser/system restart, you log in user, even if record exist, if it is older that session timeout. And you can have admin user that can manually delete entry if required.
The other solution would be to always log in new app, and logout the old one. But that would require introducing additional logic in the application to check if session is still valid.

Asp.net destroy session by sessionid

When one user login my site, this user have a session[sessionid like:xxxx-xxxx-xxxx-xx], when he login again elsewhere, he have a different session[sessionid like:yyyy-yyyy-yy-yyy], HOW CAN I DESTROPY THE PREVIOUS SESSION[sessionid like:xxxx-xxxx-xxxx-xx],after he login again with session[sessionid like:yyyy-yyyy-yy-yyy].
Destroy one session in another sesson!
Is this possible?
Thanks a lot!
There seems to be a lot of confusion regarding this request. I believe this individual wants to know how to prevent concurrent user sessions.
The proposed method: When a user logs in successfully, make this new user sessions active and abandon any other existing active sessions for the user.
My solution:
Upon Login, save the SessionID to a database, referenced to the user's account
In the Site Master file (or any file you may share with all the pages of your site), compare the current SessionID (HttpContext.Current.Session.SessionID) with the Saved SessionID.
If the two do not match, Abandon the session (Session.Abandon).
It's a simple solution, but it should address the issue.
don't worry about that, if you should worry it means your app design is bad.
put a logger in the Global.asax in the Session_End event and you will be able to track when unused sessions are closed by reading the log file.

on session start event

I'm building a web application: some pages will be accessible by non logged-in users (demo and sign-up pages) and others will only be accessible by logged-in users (actual application). In the global.asax file, I'm currently handling the session start event by loading some variable from a query that's based on the UserID. What will happen when a non-logged in user looks at a page? I guess my question is really about how to handle the session start event when it's a logged-in user, when it's not and when a user logs in. I want a certain number of queries to run only once per session, after the user logged in.
Thanks.
I would suggest to implement Forms-Based Authentication, instead of to handle authentication via session. An example can be obtained from here:
http://support.microsoft.com/kb/301240
Don't confuse "login session" with "session state". Session state has nothing to do with whether the user is logged in.
If you want some queries run when the user logs in, you should run them when the user logs in, not in Session_Start.

Multiple log-in problem

We have a web application with feature for logging in with credientials
The important requirement is once the user logs in he is not allowed to login from any other system or even another browser on same system
We used following solution which is mssql based : We have kept " Is_Loggedin" as a column with data type "bit" in a table. when a user logs in we set the flag as "1" sowhen someone tries to log again ,the system is showing the error "The user is already logged in"
When user logsout bit turns to "0"indicating user logged out.
However this logic is failing in following scenarios
Problem scenario:
When user closes the browser the flag is "1"and user is locked in or situations when user gets system problem and unable to log out
Is there a better logic to handle this requirement?
While the user is logged in, you could have a AJAX call that pings the server every 30 seconds that the user is logged in. Have a column Is_LoggedIn, and Last_LoggedIn for the date/time when they last sent that AJAX call. If it has been more than, say 1 minute, allow the user to login from another system.
You will also have a problem scenario if the user leaves their browser open for more than the session timeout period, usually 20 minutes. Then they will get logged out on the next request, but not be able to login again because of that is_LoggedIn set to 1. You would be better off doing some sort of time-based solution because keeping track of whether the user is still actively using a website is a very difficult problem because of the many ways they can leave the website without actually logging out.
If it is absolutely critical to avoid any chance of the user being logged in multiple places, you could also force all other places to logout automatically when the user logs into some new place.
You can update 'Is_Loggedin' flag to 0 at session_end event of global.asax.
session_end event is always call. session _end event call when session_timeout is expire.
in the global.asax code behind I believe there is an even for session end. You could tie into that method and set the user's Is_LoggedIn flag to 0. You would then also need to tie a user to a session key to be able to track a user's session.
Edit:
Also, the use of a session cookie or a normal cookie may help if the user closes their browser. The cookie would authenticate them upon re-opening the browser window; however this has a potential security hole if the user is using a public computer.
You could be to log the user out after sometime of inactivity (say 30 minutes). This way if the user closes the browser without logging out he will be able to log in again after 30 minutes.
Use Session_End as Pankaj suggest to make sure that the user's bit is set to 0 when logging out.
The issue with system failures is another problem. Maybe this could do the trick: When the user log in, the store the user's session ID in the database. When the user logs out, then clear the session ID. Every time the user makes a request you verify that the session ID matches the one stored in the database. If that is not the case, then invalidate the session, so that the user is logged out.
This should happen: If the user signs in, in another browser, the session ID would be updated. If user then goes back to the first browser windows and clicks on something, that session would be invalidated, and the user would be signed out automatically.

ASP.NET sessions

I am trying to find out in my asp.net application the users that are currently logged in the application by searching on the session info. Currently, I am only able to see my current session, but I cannot find out if there are other users using it. Is there a way to see if there are other users using the application by looking at the session information
Session state is per user - Application state (global) seems to be what you're looking for.
There are 2 hashes Session and Application, in which you can store key-value pairs.
A way to do it would be to update Application[UserNamesList] whenever there is a successful login. This would then be visible to all users. Application state would however be lost whenever the App Web Server recycles or restarts... but that shouldn't be a problem in this case.
A session is supposed to only give you information about the currently logged-in user.
If you need to keep track of all logged-in users, you could consider writing the users into a global variable. Here is info on how that works. Note that sessions expire. You would have to write, for each user, the time the user was last seen (i.e. each time they hit a new page, update their record). When the time they were last seen is greater than your session timeout, it's safe to assume they are no longer logged in and you can remove them from the list of current users. If they just up and close their browser, you will not be alerted and you will still think they are logged in even though they are not.

Resources