Solved

asp.net, deter unauthenticated "cancelled" users from reentering the application

Posted on 2014-12-21
4
100 Views
Last Modified: 2015-01-06
In my asp.net application, with some Webex-like features,  I have unauthenticated users who can join an interactive meeting via a URL, using an encrypted parameter that leads them to the correct meeting.  

The URL is distributed via email.   When the "participant" gets to the application and past the TOS acceptance, they enter a participant id string (name), which is verified for uniqueness (for the meeting).

I'm looking at one low-likelihood scenario where an unwanted person gets the URL and joins the meeting.

I've got a procedure that lists all the "participants" and provides a button to "remove" them.  "Remove" deletes the participant's data records and causes that participant's window (on next polling event) to redirect to a page that says "Your participation has been cancelled".  I uses window.location.replace so there's no immediate back button to get back into the session.  If they do come back into the session the next polling event (every few seconds) will redirect them out again on the basis of not finding an participant record.

Right now there's nothing preventing that person from reentering the URL and using a different participant id name.  I don't want to make separate URLs per user;  like Webex, the URLs could be emailed to anyone, and that list would be controlled external to the application.

I'm looking for suggestions on how I might prevent such users from reentering the meeting;  like IP address?

Any thoughts on this would be appreciated, including "very difficult" or "not possible".

Thanks!
0
Comment
Question by:codequest
  • 2
4 Comments
 
LVL 79

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 200 total points
ID: 40512701
IP address is not really workable as you would have to know each users ip address and this would preclude them from accessing the session from elsewhere i.e. their laptop while on the road. for members of a domain they will all most likely have the same ip address and if you block 1 then you block all.

Since you have unique meeting id's and these meeting id's can be generated in a way that they don't follow a sequence then the meeting url can be the same but the meeting id would have to match the meeting url.  It would take a lot of hit or miss attempts to join the meeting with a made up meeting id.
0
 
LVL 2

Author Comment

by:codequest
ID: 40513528
Thanks for the response.  Let me chew on that for a bit.
0
 
LVL 13

Accepted Solution

by:
AngryBinary earned 300 total points
ID: 40513652
In cases like this, I think of police tape. It doesn't actually keep anyone from physically entering any area, but it does send a message, most people abide, and you handle any outliers as they come.

I don't think there is an airtight solution for client identification without the installation of a plugin, but what may be the best imperfect option is just to set a unique cookie value for each user. Obviously not secure, as a user who has a meeting URL can still easily rejoin by clearing their cookies or switching browsers, but this would cover the most typical scenario.
0
 
LVL 2

Author Comment

by:codequest
ID: 40513682
Thanks for the input.  Police tape is a great metaphor.  Setting cookie value sounds like a good technical solution.  I'll look into that and post back when I have some better understanding.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Just a quick little trick I learned recently.  Now that I'm using jQuery with abandon in my asp.net applications, I have grown tired of the following syntax:      (CODE) I suppose it just offends my sense of decency to put inline VBScript on a…
In an ASP.NET application, I faced some technical problems. In this article, I list them out and show the solutions that I found.  I hope it will be useful. Problem: After closing a pop-up window, the parent page should be refreshed automaticall…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question