Solved

Session Problem

Posted on 2010-09-20
21
664 Views
Last Modified: 2013-11-07
I am trying to develop a website using asp.net.There is a login page this site.By login we can enter to website.Usually by coping this url and paste it in another browser window,it will directly entered to the site without any validation.How can i avoid this.What i need is i want to make it like  banks website.If we do the same operation in a bank site,that will show u an error page.How do they handle this???
0
Comment
Question by:vivekpv10
  • 5
  • 3
  • 3
  • +6
21 Comments
 
LVL 12

Expert Comment

by:HugoHiasl
ID: 33715154
This does only work for browser windows on the same machine because the session is maintained by a cookie. Do you need to make it impossible to have the same page open twice on the same machine?
0
 
LVL 5

Author Comment

by:vivekpv10
ID: 33715219
what i need is if a user is login in a machine,i dont want to make it available in another browser window.it is because of security reason.There i want to show a error page.How i can i do this using session.I want to make it this session only for one browser window at a time.I want to detect it and show a error page if he trying to login by just pasting the url of login user.
0
 

Expert Comment

by:ikraammomin
ID: 33715287
Hi,

Please disable cookies in browser. For session management, don't use cookies, you can use url rewriting.

Thanks
0
 
LVL 3

Expert Comment

by:CyberSoft
ID: 33741933
If you open a new tab or a new browser window from the same browser the user is already logged into the same session will used - hence copying and pasting the URL in the new tab/window will mean the user is already logged in (shared session).

Some browser like IE8 allow you to create a NEW session (see File -> New Session on the menubar).

HTH
0
 
LVL 5

Author Comment

by:vivekpv10
ID: 33744736
that i am asking..how can we avoid that..
0
 
LVL 3

Expert Comment

by:CyberSoft
ID: 33744938
You can't avoid that - that's how the browser tabs and new windows from the same browser works. But why would you want to prevent that - it's the same user anyway ?
0
 
LVL 5

Author Comment

by:vivekpv10
ID: 33750874
Hai CyberSoft..u just try the same scenario in a bank  site..you can't able to do like that.So there is a solution for this issue.
0
 
LVL 3

Expert Comment

by:CyberSoft
ID: 33751569
Well the only way you'll achieve that is by not storing the logged in user's session thereby making the application force a login on every page. Good luck selling that to client. Besides banks won't use web application's inhouse besides internet banking facilities offered to it's customers.
0
 
LVL 5

Author Comment

by:vivekpv10
ID: 33752465
but i think it is possible to process the url so that we can identify wether it coming from login page or directly pasted the url..
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 12

Expert Comment

by:jet-black
ID: 33764065
You should use sessions.
When the user logins, simply set a variable in session indicating the user state.
Then every page load simply check this variable and redirect the user to login page if it is necessary.
http://msdn.microsoft.com/en-us/library/ms972429.aspx
0
 
LVL 23

Expert Comment

by:Rajkumar Gs
ID: 33764075
Do you have this check in Page_Load event.?

if (!HttpContext.Current.User.Identity.IsAuthenticated) {
      return;
}

OR

if (!Request.IsAuthenticated) {
      return;
}

Raj
0
 
LVL 23

Expert Comment

by:Rajkumar Gs
ID: 33764084
Sorry, I mean this check

if (!HttpContext.Current.User.Identity.IsAuthenticated)
        {
            Response.Redirect("login.aspx");
        }

OR

        if (!Request.IsAuthenticated)
        {
            Response.Redirect("login.aspx");
        }

If not put it in Page_load and plz check

Raj
0
 
LVL 12

Expert Comment

by:jet-black
ID: 33764094
Also, you can allow the user that visit the site with one browser at the same time.
You need to store the user's ID, the date of last login,  IP, browser version, browser name, etc. to database.
Every page refresh, update the value of the last login date. By doing this, lets say max of 5 minutes ot inactive, the access from another browser will be denied if the user didn't logout first.
0
 
LVL 18

Expert Comment

by:vbturbo
ID: 33764185
Hello

Im sure if this link here covers your entire question, but i will at least prevent copy / paste of entire strings


http://stackoverflow.com/questions/1226574/disable-copy-paste-into-html-form-using-javascript


To make use of this in order to disable pasting:

<input type="text" onpaste="return false;" />


// Register onpaste on inputs and textareas in browsers that don't
// natively support it.
(function () {
    var onload = window.onload;
 
    window.onload = function () {
        if (typeof onload == "function") {
            onload.apply(this, arguments);
        }
 
        var fields = [];
        var inputs = document.getElementsByTagName("input");
        var textareas = document.getElementsByTagName("textarea");
 
        for (var i = 0; i < inputs.length; i++) {
            fields.push(inputs[i]);
        }
 
        for (var i = 0; i < textareas.length; i++) {
            fields.push(textareas[i]);
        }
 
        for (var i = 0; i < fields.length; i++) {
            var field = fields[i];
 
            if (typeof field.onpaste != "function" && !!field.getAttribute("onpaste")) {
                field.onpaste = eval("(function () { " + field.getAttribute("onpaste") + " })");
            }
 
            if (typeof field.onpaste == "function") {
                var oninput = field.oninput;
 
                field.oninput = function () {
                    if (typeof oninput == "function") {
                        oninput.apply(this, arguments);
                    }
 
                    if (typeof this.previousValue == "undefined") {
                        this.previousValue = this.value;
                    }
 
                    var pasted = (Math.abs(this.previousValue.length - this.value.length) > 1 && this.value != "");
 
                    if (pasted && !this.onpaste.apply(this, arguments)) {
                        this.value = this.previousValue;
                    }
 
                    this.previousValue = this.value;
                };
 
                if (field.addEventListener) {
                    field.addEventListener("input", field.oninput, false);
                } else if (field.attachEvent) {
                    field.attachEvent("oninput", field.oninput);
                }
            }
        }
    }
})();

vbturbo
0
 
LVL 18

Expert Comment

by:vbturbo
ID: 33764188
sorry , it should say

Hello

Im not sure if this link here covers your entire question, but i will at least prevent copy / paste of entire strings
0
 
LVL 27

Accepted Solution

by:
Chinmay Patel earned 500 total points
ID: 33764884
Hi vivekpv10, 
Some really interesting answers I saw here and I can't stop .... leave it... some might get offended.
And @people who have really provided some good answers I have no intentions to hijack this thread, just putting my in my 2 cents.
1. experts who have mentioned that it is a default browser behavior are absolutely right it is a curse that we have to live with.
2. You can try to check for Request.UrlReferrer if it is not the login page you can redirect the request to home page but this is not a full-proof solution.
Hope this helps.
Regards,
Chinmay



0
 
LVL 18

Expert Comment

by:vbturbo
ID: 33765623
vivekpv10:

pls disregard my comment , i just discovered that i am in a  wrong thread

vbturbo
0
 
LVL 51

Expert Comment

by:tedbilly
ID: 33766062
ASP.NET has a very powerful feature called "Form Based Authentication" that makes this trivial to do.  I can get a secure form based authentication site running in less than an hour.  Are you using it?
0
 
LVL 5

Author Closing Comment

by:vivekpv10
ID: 33775791
Its correct..Request.UrlReferrer is a way to  overcome this issue..
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Shoutout to Emily Plummer (http://www.experts-exchange.com/members/eplummer26.html) for giving me this article! She did most of it, I just finished it up and posted it for her :)    Introduction In a previous article (http://www.experts-exchang…
Have you tried to learn about Unicode, UTF-8, and multibyte text encoding and all the articles are just too "academic" or too technical? This article aims to make the whole topic easy for just about anyone to understand.
The viewer will learn how to dynamically set the form action using jQuery.
HTML5 has deprecated a few of the older ways of showing media as well as offering up a new way to create games and animations. Audio, video, and canvas are just a few of the adjustments made between XHTML and HTML5. As we learned in our last micr…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now