Our SSO login process uses Forms Authentication against a custom user store in SQL Server.
One of our new security requirements is to only allow an account to have one active session at a time. So any time a user logs in, we will check to see if the login credentials are already active, and preferably prevent the new user from logging in again until the other session ends. Alternatively we could force the other session to end, if that would be easier to implement.
Is there a simple way to do this with Forms Authentication? We've considered a custom approach where we track each session in the database, but it would be a lot of work and we'd probably have to modify all of our applications to detect the session_end, which I'm hoping to avoid. I figure there has to be something in Forms Auth that handles this.
I've seen the MembershipUser.IsOnline() method, which seems ideal, but we're not using a Membership provider.
UPDATE: Just to be clear, I do not need to check whether the current user is logged in, I need to know if somebody else is already logged in using the same account.
Try this:
System.Web.HttpContext.Current.User.Identity.IsAuthenticated
If I understood you correct, you would need to store the last activity state based on the user id.
Membership.IsOnline() is implemented by checking the LastActivityDate property persisted in the membership database.
So somewhere, you would need to track user activity.
You could maybe implement a httpmodule that updates a timestamp for user activity.
If the HttpContext.Current.User property is not null then they are logged in. And Identity.IsAuthenticated is true.
Related
We are using Gigya to authenticate the user which will provide us with user Id and email. Then we pass the user detail to our CRM Web Service which will return the user data from CRM.
We then need to create a session for the user so that we can identify whether the user is logged in or not. If not logged in then redirect to Gigya for login/register etc.
Now, given that we are not using any ASP.NET Membership or similar, I'm thinking how we are going to secure the member pages. One way I can think of is store the user detail in session. Then check if user detail exists in session, if doesn't exist prompt for login.
I'm also thinking whether:
I can use FormsAuthentication.SetAuthCookie or similar to create a asp.net session
Or is there better way to achieve this.
Also, if I use FormsAuthentication.Logout will it clear all my session and cookies even though I'm not using asp.net membership provider?
Goal:
To be able to create a session for the user
Able to authorize user based on user role which we get from CRM.
Able to logout the user on Lout button click.
First, and this is very very very important from a security perspective.
Authentication != Session.
They are different concepts. Second,
NEVER USE SESSION for AUTHENTICATION
see first rule. FormsAuthentication has nothing. Zero. Zilch. Nada. To do with session management. Nor does it have anything to do with Membership or credential verification. All it does is store a cookie that ASP.NET can decode to verify that the user is authenticated or nor. This cookie is set by your application when it has validated the users credentials.
FormsAuthentication.Logout() does not clear sessions, because as I already said, they have nothing to do with each other. You have to clear the session by calling Session.Abandon().
Session is about storing data for a user, and is not secure. Session is volatile, and IIS can discard it whenever it feels like, for any reason, at any time. You cannot depend on Session to be there from request to the next.
Authentication is encrypted, and strictly about proving the user has been authenticated.
Authentication can transcend sessions. It can be good for hours, weeks, months... Your session is only good for the time you are currently there (if IIS doesn't kill it earlier).
I'm trying to figure out how when using the default asp.net forms authentication stuff one can change the roles that a user has dynamically. In our case a user has access to many accounts and there roles can change per account. This doesn't seem like rocket science to me but I can't figure out I would do this. Does anyone have a experience trying to do this or a link that would be helpful?
UPDATE:
Just to clarify. We know at startup that User X has access to account #1 with roles 1,2,3 and account #2 with roles 1,2.
So first off I have to handle this part of the problem. Getting their roles based off their current account. For this I think I'd use a RoleProvider. The problem I'm trying to solve though is once ASP.Net has a User how do I tell it to invalidate that user or refresh that user so it would hit my custom RoleProvider (or what not) again.
Roles.AddUserToRole() should take care of adding the user to a role.
For removing: Roles.RemoveUserFromRole()
http://msdn.microsoft.com/en-us/library/system.web.security.roles.aspx
In my appliation,all pages are protected,so they must login to visit the pages.
And the admin of the system can add users.
Now some people told me that I have to prevent people login at the sametime using the same account.
That's to say if there is a user named "John" logined to the system,so other people cannot login with "John" again event he know the password.
Also,if one user find that someone have logined use the account he wanted,he can make the former user offline. If so I have to judge if the current user have been offed ornot in each page. This is not a work can be done easily.
I wonder if this is necessary?
Since I found so many websites nowdays do not limit this,for exmaple,you can use the same account login your gmail/stackoverflow/yahoo and ect in different machine at the same time.
So Any one can give me a suggestion?
Update:
Now,we use the asp.net's form authenciation,(we do not use the membership yet). And in the t_user table in the databse,we have a column named "isOnline" and "last_login_time".
When user login,we set the "isOnline" to 1,and store the login time.
When another user try to login again,we check the "isOnline" and the time:
if("isOnline"==1 && DateTime.now-LastLogiTIme <40min) // where the 40 min is the form authenaication timeout.
thisAccountHasLogined=true;
But suppose a user logined yet,then he clean the browser cookie,then if he refresh the page,he will be redirected to the login page,but not he can never login again before the form authentication time out because the "isOnline" in the db is 1 and the time span from his login to now does not large than the form timeout.
I am confused.
In some scenarios, I could understand not having multiple logins, but in reality, I have never had to implement it.
Unfortunately, I do not believe there is a standard mechanism for determining if a user is already logged in and this would need to be done by additional logic. In our application, we use a database for storing session information and using this, it would be a simple process to see if a session already exists within this for the user and not allow login if so.
Update
I was interested in this myself and found this;
http://msdn.microsoft.com/en-us/library/system.web.security.membershipusercollection.aspx
and this
http://msdn.microsoft.com/en-us/library/system.web.security.membershipuser.aspx
Using those, it may be possible to get this information with the .IsOnline() However, this does make the assumption you are using standard asp.net membership
the table where you store user name and password add a column status
when a user attempt to login update status to "Online" when logout update status "Logout"
During login check status, if status is online , terminate process. This may be an approch to implement this, hope it will help you
I'm trying to create a custom login for my flex web app with spring-security.
I have an working version where we use the channelset.login with blazeds.
The problem i have is that i would like to split the authentication and the authorization.
I would like to ask the user to make some choices after the authentication to determine its roles.
Since the roles the user is authorized to are determined by this choices.
This means the user has to be authenticated and then the client needs to do a service call to the service and then the authorization process needs to take place.
Does anyone know if this is possible and have some tips of how this can be done?
Thanks in advance,
Arjen
Yes, that doesn't sound too far-fetched.
You can store the user roles in the database, make each role for new users something like SIGNUP which will only allow the user to signup, once his new role is determined, simply update that role and restrict the new role from being able to update the role again, unless you're admin.
You can also override the authentication process to do whatever you want to do: http://mark.koli.ch/2010/07/spring-3-and-spring-security-setting-your-own-custom-j-spring-security-check-filter-processes-url.html
The session object might need to be refreshed if you're using some form of ORM.
I am looking for a way to distroy the ASP.net membership session for a specific user. The reason I am doing this is as an admin I want to delete a user. This works fine, but if the user already has an active session, he is still marked as "online" until this session dies (I verify each time by using Current.User.Identity.IsAuthenticated).
How do I go about killing a session based on the user it's authorized as. This way when I do Memberships.DeleteUser(username) I can also do Sessions.KillByUser(username)
Thanks in advance
I ended up following their suggestion and using the following method, for anyone who has the same issue:
http://www.chillaxen.com/2011/02/asp-net-force-a-user-offline-as-admin-destroy-a-session-by-username/
How about adding a HttpModule which intercept PostAuthorizeRequest event: Check the users' credentials against a global list of IDs you want to "destroy". If there's a match, kill the users session.
As Jakob suggested Or you can try this...
in the Global.asax check if the logged in user is in the 'List of user to be made Offline' then logout the user by forms authentication or deleting the cookie.