Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 406
  • Last Modified:

Need to limit user sessions


We need to limit the # of users on our IIS server.  Our environment is Win2K with IIS 5.0.

We've been trying to set the AspSessionMax value to 5 for test purposes, but when we go to the site to test, the limit never seems to kick in.  We never get denied.  We've tried stopping/starting the service via the services and MMC tools.  We've set the value via metaedit and adsutil.vbs.

We've applied the setting to the top level web and this should be an inherited value.

Our testing has been from a single machine, but with IE 6.0.  Is it possible that's the problem?  If so, we don't see where we can tell IE to run in unique process space (like we used to see in IE 5.x).

Any ideas?  Does this meta tag still work?
Gene Klamerus
Gene Klamerus
  • 5
  • 5
1 Solution
Gene KlamerusTechnical ArchitectAuthor Commented:
bumping the points
one way to do it is to reduce the number of client licenses for the server - so long as the iis users are the only ones to be logged on, then you can limit the number by reducing the client access licenses to '5' or whatever you want.

you can find the licese util in the control panel.

otherwise you can write an isapi filter to do some checks at authentication action...

Gene KlamerusTechnical ArchitectAuthor Commented:
We need to limit the web users, not ourselves for admin tasks and such.

Are you saying that the metabase setting doesn't work or is invalid?
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Gene KlamerusTechnical ArchitectAuthor Commented:
I'm confused on this - as it implies the metabase is useless.

We know how to use application variables and session_onstart and session_onend for counting and testing, but were hoping/expecting that the metabase stuff actually did something.
i suspect that the values you refer to are related to concurrent processing rather than total number of active users.  keep in mind that a web server is by nature a sessionless system - unless the web users are cached, there is no real way to determine whether they are 'in or out'

now that i think of it, using the client license number to limit sessions will not work either - this will also only limit the concurrent sessions.

You can limit the number of users by setting a limit from the web site tab of the IIS properties page. Select the limited to connections radio button and specif the value you want.

Setting the aspsessionmax value if I am not mistake only maintains a session between the client and server for a max duration specified of inactivity before disconnecting the session and does not limit the number of concurrent users using the IIS server

Hope this helps
once again, that option will limit concurrent users - that is not what i suspect that is the requirement here (or correct me if i am mistaken, klamerus)

also, be very warly of trying to implement such a feature - if you are not careful, you will open up a DoS opportunity - all the attacker has to do is to keep your user count up to 5 with good (or bad) auths, and your application is essentially offline.

the other concern is that you need to define what you consider is how to determine when the user has left....  some users might click a 'logout' button, but most of them just close the browser or jump to an external link - you never know that they have gone without needing to give them some time (eg 15 minutes) that defines a session timeout - that is if they don't make and request activity for x mintes, then assume that they have gone.

so what you get with a low user count of, like, 5 - is that what happens when all of those 5 users log on, look at one page, then go somewhere else - it will take x minutes before you are sure that they have gone.  setting 'x' too high and the availability os too low, set it too short and a user can get kicked off while they are still legitimately browsing the site!

my recommendation is to use a combination of browser refresh (like a meta-refresh tag) every 60 seconds and isapi filter checking the authed users, clearing the cache at a short duration - say 90 seconds.

Gene KlamerusTechnical ArchitectAuthor Commented:
Well, some clarification seems called for.

Yes, we want to limit the # of users, not connections.

Our IS department has had to take on support for a very, very poorly written application.  It "leaks" DCOM connections and memory (amongst other issues).  We are taking actions to re-architect it and will eventually have it re-written.  What we are doing is a stop-gap measure for a couple of weeks.  DoS is not an issue as this is not a "public" web site.

Limiting connections is problematic.  When we do that, our users to get failed requests for web page components (missing graphics, etc.).  That's entirely unacceptable.  We'd much rather tell them to try our system later when it's not so busy.

So far as state and such, we know that the server has a timeout period.  We have our timeout set at a level that is reasonable for this application (10 min.) and based on known usage we'll simply "bump" our concurrent user limit to a slightly higher-level to compensate for users who have "left" the system.

Web servers give the browser cookies, so they are not entirely stateless.  It's this cookie thing which allows our servers to know one user from another and our application already uses both application and session level objects.

So, we want to limit # of users in our system.  We know that limiting connections does not do this.  We know the server tracks it.  What we need to know is how to limit the users and how to test that the limit is working.

As I said, when I test this on my laptop (Win2K Adv. Svr.) and browser to it (IE 6.0), I never hit the limit.  Would this perhaps be because I doing all this connecting from my laptop or is it not actually working.
>> DoS is not an issue as this is not a "public" web site.

DoS is always an issue - the attack is not always intentional, but the result is the same.

>> Limiting connections is problematic.  When we do that, our users to get failed requests for web page
components (missing graphics, etc.).

that is caused by what i have described above - "...a user can get kicked off while they are still legitimately browsing..."

>> Web servers give the browser cookies, so they are not entirely stateless.

semantics - by nature, http is stateless.  cookies and web application sessions are implementation work-around only.

>> when I test this on my laptop (Win2K Adv. Svr.) and browser to it (IE 6.0), I never hit the

that's probably because you are always counted as one user - regardless of how many browser windows you have open.

>> we want to limit # of users in our system

the only way i can think of, i have suggested already.  you need to write an ISAPI filter to fire on the onauthentication event.  

here is more detail on the technique:

on auth, read the username and password pair, check to the userbase that it is valid, if so, iterate through a list structure containing username/timestamp pairs.  as you go through the list, if you find any that are older than your timeout, reove the entry.  if you find the latest auth, then update the timestamp.  if he is not in the list, then if there is a free slot (ie not up to the limit yet) add him.  if there is no free slot, then display the 'come back later' message, and cancel the request.

you can write this yourself if you have any reasonable visual studio skills, or you can get someone else to do it.

i usually do that sort of work for around (aussie) $200ph - this would be about a 1 to 2 ay job.

from the sounds of what you are wanting to acheive (a stop-gap solution) you are probably better off just living with it in the meantime, rebooting the server when you have to.

Gene KlamerusTechnical ArchitectAuthor Commented:
Follow up:

Since this is an Intranet site and we have had > 400 Internal web sites for 3+ years (probably 4+), never once having had a DoS attack, I'll stick with my contention that DoS is not an issue.

So far as limiting connections "booting" a legitimate user, I'm not sure there is ever a perfect answer.  We currently have our servers set at a timeout that does not cause problems.

Cookies and sessions are not work-arounds only.  Without cookies and session data, it would be neigh impossible to create any usefull applications.  I do agree that HTTP is stateless, but web applications are often/usually not.

I think the point on the browser is perhaps key here.  Earlier versions of IE (v 5.0) had settings on whether to start new browser sessions in separate processes, which caused them to come into servers as new clients.  I'm hoping that the problem we're seeing is not that the ASPSessionsMax doesn't work, but that testing from a single PC doesn't work.  Anyone with insight here would be much appreciated.

So far as limiting users, we've done that before by using an application variable (say NumUsers), using Session_OnStart to increment and Session_OnEnd to decrement and putting a check into the log-on of the application on whether it's reached its limit.  We simply would rather not do that this time around (especially if there is an IIS setting to leverage).

We really don't want to invest much time in customizing when this is truly stop-gap.  The IIS metabase stuff seemed like a five minute exercise and I'm hopeful that we've simply done it wrong or tested it wrong.

>> I'm hoping that the problem we're seeing is not that the ASPSessionsMax doesn't work, but that testing from a single PC doesn't work.

that is likely.  but keep in mind also that the aspsessionmax won't do you any good unless the user is actually participating in an interactive asp session. (ie not just browsing .html pages)


Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now