How to allow only ONE user on an ASPX web site? (C#)

[S_K]

Hi,

I have an .aspx website developed. Because of the nature of the web
site only one user can be using this site at the same time. How do I
lock out the second user? Application["...] variable perhaps?

Thanks so much for you help!

 

[Eliyahu Goldin]

Static variables are shared between all user sessions. If you make something
like
public static bool IsInUse; and the first users will set it to true, the
other user sessions will detect it.

How are you going to detect when the user completes using the site?

--
Eliyahu Goldin,
Software Developer
Microsoft MVP [ASP.NET]
http://msmvps.com/blogs/egoldin
http://usableasp.net

 

[Mark Rae [MVP]]

I have an .aspx website developed. Because of the nature of the web
site only one user can be using this site at the same time. How do I
lock out the second user? Application["...] variable perhaps?

Only if you can absolutely 100% trust your user(s) to log out via a means
that you provide so that you can reset the Application variable...

ASP.NET has no reliable way of knowing if a user has navigated away from
your site, or closed their browser etc...

 

[Mark Rae [MVP]]

How are you going to detect when the user completes using the site?

That's the problem...

 

[justin]

Hi,

I have an .aspx website developed. Because of the nature of the web
site only one user can be using this site at the same time. How do I
lock out the second user? Application["...] variable perhaps?

Thanks so much for you help!

Would a time stamp help at all? I don't know the nature of your site,
but how long would the user need to be on the site? If there's no
activity after a specified period of time then a new user can be
allowed through.

 

[Patrice]

Yes all along with the user id for the current "owner" of the site (so that
you can check if recent activity was caused by the same or by another user
than the one doing the current request).

Note also that if the user doesn't log out explictely you'll get a period of
time during which nobody (except the last connected user) will be able to
use the site.

You may want to elaborate a bit as this is an unsual requirements. What does
requires this ?

--
Patrice

Hi,

I have an .aspx website developed. Because of the nature of the web
site only one user can be using this site at the same time. How do I
lock out the second user? Application["...] variable perhaps?

Thanks so much for you help!

Would a time stamp help at all? I don't know the nature of your site,
but how long would the user need to be on the site? If there's no
activity after a specified period of time then a new user can be
allowed through.

 

[S_K]

Hi,

I have an .aspx website developed. Because of the nature of the web
site only one user can be using this site at the same time. How do I
lock out the second user? Application["...] variable perhaps?

Thanks so much for you help!

Would a time stamp help at all? I don't know the nature of your site,
but how long would the user need to be on the site? If there's no
activity after a specified period of time then a new user can be
allowed through.

Would a static variable work on a .ASPX web site? I would think thats
what Application["variablename"] is for. Hmmm I'm going to have to try
that.....

So there is no way of reliably determining if the user has dropped the
web page? That's disturbing. Isn't there an "Unload()" event or
something that can be used? Is that not reliable?

Thanks soo much for your feedback!!

Steve

 

[Mark Rae [MVP]]

So there is no way of reliably determining if the user has dropped the
web page?
Correct.

That's disturbing.

It's inherent in the fundamental disconnected architecture of the web.

Isn't there an "Unload()" event or something that can be used?

Yes, but that will fire "every time" the page unloads i.e. when moving from
page to page within the same site...

Is that not reliable?

No...

 

[S_K]

Yes all along with the user id for the current "owner" of the site (so that
you can check if recent activity was caused by the same or by another user
than the one doing the current request).

Note also that if the user doesn't log out explictely you'll get a periodof
time during which nobody (except the last connected user) will be able to
use the site.

You may want to elaborate a bit as this is an unsual requirements. What does
requires this ?

--
Patrice

"justin" <[email protected]> a écrit dans le message de (e-mail address removed)...

Hi,
I have an .aspx website developed. Because of the nature of the web
site only one user can be using this site at the same time. How do I
lock out the second user? Application["...] variable perhaps?
Thanks so much for you help!

Would a time stamp help at all? I don't know the nature of your site,
but how long would the user need to be on the site? If there's no
activity after a specified period of time then a new user can be
allowed through.- Hide quoted text -

- Show quoted text -

The requirement that only one user be logged on at a time is because
this site is used to process payroll taxes and the processing is done
one step at a time and each step needs to be done in sequence. Like a
state machine.

How do you get the user id? Is this a "Document" or a "Page"
parameter?

Thanks again this has been sooo helpfull.

Steve

 

[IfThenElse]

You can always have an Admin Account that can unlock a user if she-he
forgets to logout properly.
Also you need to make sure that the processing is done by that user
Can one user start processing then logsout then another user logs in and
Finishes the processing?


The Admin account can unlock or reset flags.

By the way, this is Pain In The A.

Yes all along with the user id for the current "owner" of the site (so
that
you can check if recent activity was caused by the same or by another user
than the one doing the current request).

Note also that if the user doesn't log out explictely you'll get a period
of
time during which nobody (except the last connected user) will be able to
use the site.

You may want to elaborate a bit as this is an unsual requirements. What
does
requires this ?

--
Patrice

"justin" <[email protected]> a écrit dans le message de (e-mail address removed)...

Hi,
I have an .aspx website developed. Because of the nature of the web
site only one user can be using this site at the same time. How do I
lock out the second user? Application["...] variable perhaps?
Thanks so much for you help!

Would a time stamp help at all? I don't know the nature of your site,
but how long would the user need to be on the site? If there's no
activity after a specified period of time then a new user can be
allowed through.- Hide quoted text -

- Show quoted text -

The requirement that only one user be logged on at a time is because
this site is used to process payroll taxes and the processing is done
one step at a time and each step needs to be done in sequence. Like a
state machine.

How do you get the user id? Is this a "Document" or a "Page"
parameter?

Thanks again this has been sooo helpfull.

Steve

 

[mark4asp]

I have an .aspx website developed. Because of the nature of the web
site only one user can be using this site at the same time. How do I
lock out the second user? Application["...] variable perhaps?

Only if you can absolutely 100% trust your user(s) to log out via a means
that you provide so that you can reset the Application variable...

ASP.NET has no reliable way of knowing if a user has navigated away from
your site, or closed their browser etc...

What about this method? - it works fine for me:

http://www.eggheadcafe.com/articles/20051228.asp

 

[mark4asp]

Yes all along with the user id for the current "owner" of the site (so that
you can check if recent activity was caused by the same or by another user
than the one doing the current request).

Note also that if the user doesn't log out explictely you'll get a period of
time during which nobody (except the last connected user) will be able to
use the site.

You may want to elaborate a bit as this is an unsual requirements. What does
requires this ?

--
Patrice

"justin" <[email protected]> a écrit dans le message de (e-mail address removed)...

Hi,

I have an .aspx website developed. Because of the nature of the web
site only one user can be using this site at the same time. How do I
lock out the second user? Application["...] variable perhaps?

Thanks so much for you help!

Would a time stamp help at all? I don't know the nature of your site,
but how long would the user need to be on the site? If there's no
activity after a specified period of time then a new user can be
allowed through.- Hide quoted text -

- Show quoted text -

The requirement that only one user be logged on at a time is because
this site is used to process payroll taxes and the processing is done
one step at a time and each step needs to be done in sequence. Like a
state machine.

How do you get the user id? Is this a "Document" or a "Page"
parameter?

Thanks again this has been sooo helpfull.

Steve

You get the userID from the user cookie (where you would've put it) when
the user authenticates [using the _OnAuthenticate() in Global]. If the
cookie ticket fails authentification you get the UserID from your
database when the user logs in. The UserID is then added to the security
context - eg. something like this:

protected void FormsAuthentication_OnAuthenticate(Object sender,
FormsAuthenticationEventArgs e)
{
blah blah ...

e.Context.User = new System.Security.Principal.GenericPrincipal(new
FormsIdentity(Ticket2), aRoles);
Context.Items.Add("UserID", strID);

blah blah ...
}

So, you can use forms authentification with an encrypted cookie. Whether
or not you use a cookie, the UserID can be kept in the security context
and is then always available to you as: Context.Items["UserID"] (in this
case). There are more sophisticated variants like this with custom
Principals.

Detect the end of a session using this method:
<http://www.eggheadcafe.com/articles/20051228.asp>

 

[Mark Rae [MVP]]

What about this method? - it works fine for me:

http://www.eggheadcafe.com/articles/20051228.asp

??? But that isn't the same thing at all!

The OP is looking for a way to be notified *when* a user navigates away from
the site or closes the browser.

Peter's code will check *if* a user's Session has timed out, but only in
response to *another* HttpRequest from that user - if the user navigates
away from the site or closes their browser, none of this will ever happen...

 

[kaza]

Hi,

I have an .aspx website developed. Because of the nature of the web
site only one user can be using this site at the same time. How do I
lock out the second user? Application["...] variable perhaps?

Thanks so much for you help!

Hi, static variables and application are once / prcoess, it is easily
possible that you will have several processes (w3p.exe in taskmanager)
thus I would go for external store like file or database row entry

regards

 

[S_K]

Hi,

I have an .aspx website developed. Because of the nature of the web
site only one user can be using this site at the same time. How do I
lock out the second user? Application["...] variable perhaps?

Thanks so much for you help!

Hi, static variables and application are once / prcoess, it is easily
possible that you will have several processes (w3p.exe in taskmanager)
thus I would go for external store like file or database row entry

regards

Thanks very much everyone for your help in this!
It has been quite a learning experience!

Thanks again
Steve

 

[Rory Becker]

You may want to elaborate a bit as this is an unsual requirements.

»
The requirement that only one user be logged on at a time is because
this site is used to process payroll taxes and the processing is done
one step at a time and each step needs to be done in sequence. Like a
state machine.

So why can't you store the current state (against the user ID in some backend
database) at each stage of the process so that multiple people could use
the system at once.

Seems strange to lock people out when you could serve more than one at once...
Is that not better?

 

[mark4asp]

??? But that isn't the same thing at all!

The OP is looking for a way to be notified *when* a user navigates away from
the site or closes the browser.

Peter's code will check *if* a user's Session has timed out, but only in
response to *another* HttpRequest from that user - if the user navigates
away from the site or closes their browser, none of this will ever happen...

Thanks for correcting my mistake.

So if one then tried to read the user's cookie what would one get? And
what of the security context surely that will no longer return a UserId
(if one put it there in the first place) ?

Say the user visits the site at 13:00 and navigates away at 13:10 and
the session timeout is set to 20 minutes. Are you saying that for the
last 10 minuters, after the user has navigated away, that the session id
and UserId in the security context will still be there - implying that
the user is still present? I was under the impression that the session
id relied on cookies (by default). I realise that http is stateless but
is the user cookie cached on the server and not read afresh each time
one "reads" it? - if so, what would happen if one tried to write a
cookie to the now absent user after they had navigated away?

It just doesn't make sense to me that a user navigating away can't be
detected.

 

[Mark Rae [MVP]]

Say the user visits the site at 13:00 and navigates away at 13:10 and
the session timeout is set to 20 minutes. Are you saying that for the
last 10 minuters, after the user has navigated away, that the session id
and UserId in the security context will still be there - implying that
the user is still present?

Yes, though that wouldn't matter in the slightest - the problem is that the
Session on the webserver would not have timed out...

It just doesn't make sense to me that a user navigating away can't be
detected.

Think about it - once a webserver has sent down an HttpResponse in response
to an HttpRequest, how can it possibly have the slightest idea what happens
on the browser to which it has sent that HttpResponse...?

If you send me a letter, you can't know if I read it or even if I open it,
unless I reply to you - it's the same principle with the web...

 

[Larry Bud]

Yes all along with the user id for the current "owner" of the site (so that
you can check if recent activity was caused by the same or by another user
than the one doing the current request).

Note also that if the user doesn't log out explictely you'll get a period of
time during which nobody (except the last connected user) will be able to
use the site.

You may want to elaborate a bit as this is an unsual requirements. Whatdoes
requires this ?
"justin" <[email protected]> a écrit dans le message de (e-mail address removed)...

Hi,
I have an .aspx website developed. Because of the nature of the web
site only one user can be using this site at the same time. How do I
lock out the second user? Application["...] variable perhaps?
Thanks so much for you help!
Would a time stamp help at all? I don't know the nature of your site,
but how long would the user need to be on the site? If there's no
activity after a specified period of time then a new user can be
allowed through.- Hide quoted text -

- Show quoted text -

The requirement that only one user be logged on at a time is because
this site is used to process payroll taxes and the processing is done
one step at a time and each step needs to be done in sequence. Like a
state machine.

There a better way to do this. In a table, set flags as to what step
has been accomplished, or a "nextstep" value. Don't let a user into
any page except the one that equates to the "nextstep".

Once that step is being processed, don't allow another user process
it. Basically whomever clicks "Submit" first wins.