From: Eric S on 2 Mar 2010 13:58 Hi All, When I create a credential for users to log in, I can not allow them to log in more then 2 different computers. Otherwise the user can provide the Credential for 20 different people and will try hammer the server. If user A logged in I can update a flag in a table called MemberInfo and when he/she Logged out I can reset that flag and also have a counter of the numbers of logins.... Or even can update the time he/she logged in. a) Problem is what happens when he closed the browser and did not log out? b) If the browser is crashed then there is no way for me to update the flag. How would you handle this kind of situation? Appreciate some code / Ideas. Thanks, Eric
From: Andy O'Neill on 2 Mar 2010 14:46 "Eric S" <xxx_noSpam(a)Hotmail.com> wrote in message news:u9cYipjuKHA.732(a)TK2MSFTNGP06.phx.gbl... > Hi All, > > When I create a credential for users to log in, I can not allow them to > log in more then 2 different computers. Otherwise the user can provide the > Credential for 20 different people and will try hammer the server. > > If user A logged in I can update a flag in a table called MemberInfo and > when he/she Logged out I can reset that flag and also have a counter of > the numbers of logins.... Or even can update the time he/she logged in. > > a) > Problem is what happens when he closed the browser and did not log out? > > b) > If the browser is crashed then there is no way for me to update the flag. > > How would you handle this kind of situation? > Appreciate some code / Ideas. > > Thanks, > > Eric > Intranet or web? On an intranet you could use the user's windows credentials. Either way, take a look at the membership provider.
From: Alexey Smirnov on 2 Mar 2010 14:53 On 2 Mrz., 19:58, "Eric S" <xxx_noS...(a)Hotmail.com> wrote: > Hi All, > > When I create a credential for users to log in, I can not allow them to log > in more then 2 different computers. Otherwise the user can provide the > Credential for 20 different people and will try hammer the server. > > If user A logged in I can update a flag in a table called MemberInfo and > when he/she Logged out I can reset that flag and also have a counter of the > numbers of logins.... Or even can update the time he/she logged in. > > a) > Problem is what happens when he closed the browser and did not log out? > > b) > If the browser is crashed then there is no way for me to update the flag. > > How would you handle this kind of situation? > Appreciate some code / Ideas. > > Thanks, > > Eric Consider another approach. For example, using client's IP address. On login you can keep the IP and time in MemberInfo. After that this information could be used to check if you could allow a logon or not. If the same IP, then user is valid. If a different IP within say 20 minutes of the last use on another address then you must apply the lockout rule. This will not work if users coming out of the same router (e.g. corporate proxy) - they all will have the same IP address. You may also wish to save a short period encypted cookie to provide a session marker upon logon.
From: Alexey Smirnov on 2 Mar 2010 14:57 On 2 Mrz., 19:58, "Eric S" <xxx_noS...(a)Hotmail.com> wrote: > Hi All, > > When I create a credential for users to log in, I can not allow them to log > in more then 2 different computers. Otherwise the user can provide the > Credential for 20 different people and will try hammer the server. > > If user A logged in I can update a flag in a table called MemberInfo and > when he/she Logged out I can reset that flag and also have a counter of the > numbers of logins.... Or even can update the time he/she logged in. > > a) > Problem is what happens when he closed the browser and did not log out? > > b) > If the browser is crashed then there is no way for me to update the flag. > > How would you handle this kind of situation? > Appreciate some code / Ideas. > > Thanks, > > Eric One more tip http://teknohippy.net/2008/08/21/stopping-aspnet-concurrent-logins/
From: Eric S on 2 Mar 2010 14:58 Hi Alexey, Thanks for the reply it is informative... Any suggested code (or blog somewhere) is also appreciated. Regards, Eric "Alexey Smirnov" <alexey.smirnov(a)gmail.com> wrote in message news:f05790d1-0996-493e-85e8-d6c432a7e037(a)q23g2000yqd.googlegroups.com... On 2 Mrz., 19:58, "Eric S" <xxx_noS...(a)Hotmail.com> wrote: > Hi All, > > When I create a credential for users to log in, I can not allow them to > log > in more then 2 different computers. Otherwise the user can provide the > Credential for 20 different people and will try hammer the server. > > If user A logged in I can update a flag in a table called MemberInfo and > when he/she Logged out I can reset that flag and also have a counter of > the > numbers of logins.... Or even can update the time he/she logged in. > > a) > Problem is what happens when he closed the browser and did not log out? > > b) > If the browser is crashed then there is no way for me to update the flag. > > How would you handle this kind of situation? > Appreciate some code / Ideas. > > Thanks, > > Eric Consider another approach. For example, using client's IP address. On login you can keep the IP and time in MemberInfo. After that this information could be used to check if you could allow a logon or not. If the same IP, then user is valid. If a different IP within say 20 minutes of the last use on another address then you must apply the lockout rule. This will not work if users coming out of the same router (e.g. corporate proxy) - they all will have the same IP address. You may also wish to save a short period encypted cookie to provide a session marker upon logon.
|
Next
|
Last
Pages: 1 2 Prev: How to call a JS function on the form loading? Next: webservices and threads |