Solved

Need to limit user sessions

Posted on 2002-04-19
11
390 Views
Last Modified: 2008-02-01
Hi,

We need to limit the # of users on our IIS server.  Our environment is Win2K with IIS 5.0.

We've been trying to set the AspSessionMax value to 5 for test purposes, but when we go to the site to test, the limit never seems to kick in.  We never get denied.  We've tried stopping/starting the service via the services and MMC tools.  We've set the value via metaedit and adsutil.vbs.

We've applied the setting to the top level web and this should be an inherited value.

Our testing has been from a single machine, but with IE 6.0.  Is it possible that's the problem?  If so, we don't see where we can tell IE to run in unique process space (like we used to see in IE 5.x).

Any ideas?  Does this meta tag still work?
0
Comment
Question by:klamerus
  • 5
  • 5
11 Comments
 
LVL 1

Author Comment

by:klamerus
Comment Utility
bumping the points
0
 
LVL 37

Expert Comment

by:meverest
Comment Utility
one way to do it is to reduce the number of client licenses for the server - so long as the iis users are the only ones to be logged on, then you can limit the number by reducing the client access licenses to '5' or whatever you want.

you can find the licese util in the control panel.

otherwise you can write an isapi filter to do some checks at authentication action...

cheers.
0
 
LVL 1

Author Comment

by:klamerus
Comment Utility
We need to limit the web users, not ourselves for admin tasks and such.

Are you saying that the metabase setting doesn't work or is invalid?
0
 
LVL 1

Author Comment

by:klamerus
Comment Utility
I'm confused on this - as it implies the metabase is useless.

We know how to use application variables and session_onstart and session_onend for counting and testing, but were hoping/expecting that the metabase stuff actually did something.
0
 
LVL 37

Expert Comment

by:meverest
Comment Utility
i suspect that the values you refer to are related to concurrent processing rather than total number of active users.  keep in mind that a web server is by nature a sessionless system - unless the web users are cached, there is no real way to determine whether they are 'in or out'

now that i think of it, using the client license number to limit sessions will not work either - this will also only limit the concurrent sessions.

cheers.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 2

Expert Comment

by:pssiew
Comment Utility
You can limit the number of users by setting a limit from the web site tab of the IIS properties page. Select the limited to connections radio button and specif the value you want.

Setting the aspsessionmax value if I am not mistake only maintains a session between the client and server for a max duration specified of inactivity before disconnecting the session and does not limit the number of concurrent users using the IIS server

Hope this helps
0
 
LVL 37

Expert Comment

by:meverest
Comment Utility
once again, that option will limit concurrent users - that is not what i suspect that is the requirement here (or correct me if i am mistaken, klamerus)

also, be very warly of trying to implement such a feature - if you are not careful, you will open up a DoS opportunity - all the attacker has to do is to keep your user count up to 5 with good (or bad) auths, and your application is essentially offline.

the other concern is that you need to define what you consider is how to determine when the user has left....  some users might click a 'logout' button, but most of them just close the browser or jump to an external link - you never know that they have gone without needing to give them some time (eg 15 minutes) that defines a session timeout - that is if they don't make and request activity for x mintes, then assume that they have gone.

so what you get with a low user count of, like, 5 - is that what happens when all of those 5 users log on, look at one page, then go somewhere else - it will take x minutes before you are sure that they have gone.  setting 'x' too high and the availability os too low, set it too short and a user can get kicked off while they are still legitimately browsing the site!

my recommendation is to use a combination of browser refresh (like a meta-refresh tag) every 60 seconds and isapi filter checking the authed users, clearing the cache at a short duration - say 90 seconds.

cheers.
0
 
LVL 1

Author Comment

by:klamerus
Comment Utility
Well, some clarification seems called for.

Yes, we want to limit the # of users, not connections.

Our IS department has had to take on support for a very, very poorly written application.  It "leaks" DCOM connections and memory (amongst other issues).  We are taking actions to re-architect it and will eventually have it re-written.  What we are doing is a stop-gap measure for a couple of weeks.  DoS is not an issue as this is not a "public" web site.

Limiting connections is problematic.  When we do that, our users to get failed requests for web page components (missing graphics, etc.).  That's entirely unacceptable.  We'd much rather tell them to try our system later when it's not so busy.

So far as state and such, we know that the server has a timeout period.  We have our timeout set at a level that is reasonable for this application (10 min.) and based on known usage we'll simply "bump" our concurrent user limit to a slightly higher-level to compensate for users who have "left" the system.

Web servers give the browser cookies, so they are not entirely stateless.  It's this cookie thing which allows our servers to know one user from another and our application already uses both application and session level objects.

So, we want to limit # of users in our system.  We know that limiting connections does not do this.  We know the server tracks it.  What we need to know is how to limit the users and how to test that the limit is working.

As I said, when I test this on my laptop (Win2K Adv. Svr.) and browser to it (IE 6.0), I never hit the limit.  Would this perhaps be because I doing all this connecting from my laptop or is it not actually working.
0
 
LVL 37

Expert Comment

by:meverest
Comment Utility
>> DoS is not an issue as this is not a "public" web site.

DoS is always an issue - the attack is not always intentional, but the result is the same.

>> Limiting connections is problematic.  When we do that, our users to get failed requests for web page
components (missing graphics, etc.).

that is caused by what i have described above - "...a user can get kicked off while they are still legitimately browsing..."

>> Web servers give the browser cookies, so they are not entirely stateless.

semantics - by nature, http is stateless.  cookies and web application sessions are implementation work-around only.

>> when I test this on my laptop (Win2K Adv. Svr.) and browser to it (IE 6.0), I never hit the
limit.  

that's probably because you are always counted as one user - regardless of how many browser windows you have open.

>> we want to limit # of users in our system

the only way i can think of, i have suggested already.  you need to write an ISAPI filter to fire on the onauthentication event.  

here is more detail on the technique:

on auth, read the username and password pair, check to the userbase that it is valid, if so, iterate through a list structure containing username/timestamp pairs.  as you go through the list, if you find any that are older than your timeout, reove the entry.  if you find the latest auth, then update the timestamp.  if he is not in the list, then if there is a free slot (ie not up to the limit yet) add him.  if there is no free slot, then display the 'come back later' message, and cancel the request.

you can write this yourself if you have any reasonable visual studio skills, or you can get someone else to do it.

i usually do that sort of work for around (aussie) $200ph - this would be about a 1 to 2 ay job.

from the sounds of what you are wanting to acheive (a stop-gap solution) you are probably better off just living with it in the meantime, rebooting the server when you have to.

cheers.
0
 
LVL 1

Author Comment

by:klamerus
Comment Utility
Follow up:

Since this is an Intranet site and we have had > 400 Internal web sites for 3+ years (probably 4+), never once having had a DoS attack, I'll stick with my contention that DoS is not an issue.

So far as limiting connections "booting" a legitimate user, I'm not sure there is ever a perfect answer.  We currently have our servers set at a timeout that does not cause problems.

Cookies and sessions are not work-arounds only.  Without cookies and session data, it would be neigh impossible to create any usefull applications.  I do agree that HTTP is stateless, but web applications are often/usually not.

I think the point on the browser is perhaps key here.  Earlier versions of IE (v 5.0) had settings on whether to start new browser sessions in separate processes, which caused them to come into servers as new clients.  I'm hoping that the problem we're seeing is not that the ASPSessionsMax doesn't work, but that testing from a single PC doesn't work.  Anyone with insight here would be much appreciated.

So far as limiting users, we've done that before by using an application variable (say NumUsers), using Session_OnStart to increment and Session_OnEnd to decrement and putting a check into the log-on of the application on whether it's reached its limit.  We simply would rather not do that this time around (especially if there is an IIS setting to leverage).

We really don't want to invest much time in customizing when this is truly stop-gap.  The IIS metabase stuff seemed like a five minute exercise and I'm hopeful that we've simply done it wrong or tested it wrong.

0
 
LVL 37

Accepted Solution

by:
meverest earned 200 total points
Comment Utility
>> I'm hoping that the problem we're seeing is not that the ASPSessionsMax doesn't work, but that testing from a single PC doesn't work.

that is likely.  but keep in mind also that the aspsessionmax won't do you any good unless the user is actually participating in an interactive asp session. (ie not just browsing .html pages)

cheers.




0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Logparser is the smartest tool I have ever used in parsing IIS log files and there are many interesting things I wanted to share with everyone one of the  real-world  scenario from my current project. Let's get started with  scenario - How do w…
Debug Tools to analyse IIS process: This article focus on taking memory dumps from IIS to determine which code is taking more time and to analyse which calls hangs/causes more CPU usage. To take dumps,download the following. Install1: To st…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now