tags:

views:

1171

answers:

2
Q: 

User session management in asp.net

Hi, my client has had a security audit of a system I built for them complete.

They want it to work in such a way that if a user logs in via Internet Explorer that when they login via Firefox on the same machine (or via IE on another machine) that it kills the first session.

Essentially this means storing session info in the DB i would imagine and then setting an active/inactive flag against it so user id, session id, status if userid has an active session, then kill first session, and create new session.

Are there any built in mechanisms for doing this with the .NET framework or can anyone point me in the direction of some tutorials etc.

Many thanks,

Ed

+2  A: 

First, add a field to your users table to store the currently used session ID. This ID is easily accessible from your code. When the user logs in, store that ID.

On every page request, check to verify that the current session ID matches what was stored in your user table. If it doesn't match, then clear the current session data and kick the user back to the log in screen.

This will not stop the user from using multiple tabs in IE 7 because IE7 uses the same instance for each tab; but it will stop them from using multiple browser instances.

The reason why this will work is that each browser contains it's own cookie space. Session's are matched up server side based on a cookie value that stores the session id and is sent back to the server on each request.

Incidentally, this is not a very effective means of eliminating session hijacking; which it sounds like the security audit is trying to prevent. If you need to do that, update your question and I'll go further.

UPDATE

One way to stop session hijacking is to store a random number in the session and as a cookie on the browser. When the next request comes in, verify that the cookie and session values match. If they don't then reset the session id variable in your user table. This will force all sessions to log in again. For every page request (post / get) create a new random value. The downside is that pages can not be bookmarked; but that's probably acceptable.

Chris Lively  2009-03-30 14:23:36
thanks for the suggestion - this might work but I'd like the "new" session to override the "old" one so the user is not kicked out. But if they went back to the original browser/pc and refresh or tried to access something they would be thrown back to the login
Ed Bloom  2009-03-30 14:28:20
That's exactly what this would do. Each time they log in, just update the user table with the latest session id. When the old one does a get or post it'll see that it's not current then you redirect to the login screen.
Chris Lively  2009-03-30 14:29:47
Ed, that's basically what I did. Last in wins, otherwise you have to wait for their session to timeout before letting them log back in.
JoshBerke  2009-03-30 14:30:06
@Chris: Change "stop them from using multiple browser windows" to "multiple browers instances", multiple windows launched from the current instance of the browser will use the same session.
AnthonyWJones  2009-03-30 14:44:23
@Chris - yes, this "last in wins" approach seems to be the way to go. What else would recommend to stop session hijacking? @Anthony - ahh yes, the old "browser instances" vs. "browser windows" chestnut - has confused many a web developer.
Ed Bloom  2009-03-30 14:51:59
@Chris - very helpful re: session hijacking - thank you
Ed Bloom  2009-03-30 15:15:23
A: 

I blogged about how I handle this. Basically the idea is we create a non-persistant cookie, which has a Guid.

We then store this tied to the userId in some place on the server (App Cache, DB etc...). We then have a poller which hits the server every couple of minutes, and if the cookie doesn't match the value, we log the user out.

JoshBerke  2009-03-30 14:25:37
@Josh - nice approach - certainly has given me food for thought
Ed Bloom  2009-03-30 14:47:58

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps