[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

asp.net, deter unauthenticated "cancelled" users from reentering the application

Posted on 2014-12-21
4
Medium Priority
?
108 Views
Last Modified: 2015-01-06
In my asp.net application, with some Webex-like features,  I have unauthenticated users who can join an interactive meeting via a URL, using an encrypted parameter that leads them to the correct meeting.  

The URL is distributed via email.   When the "participant" gets to the application and past the TOS acceptance, they enter a participant id string (name), which is verified for uniqueness (for the meeting).

I'm looking at one low-likelihood scenario where an unwanted person gets the URL and joins the meeting.

I've got a procedure that lists all the "participants" and provides a button to "remove" them.  "Remove" deletes the participant's data records and causes that participant's window (on next polling event) to redirect to a page that says "Your participation has been cancelled".  I uses window.location.replace so there's no immediate back button to get back into the session.  If they do come back into the session the next polling event (every few seconds) will redirect them out again on the basis of not finding an participant record.

Right now there's nothing preventing that person from reentering the URL and using a different participant id name.  I don't want to make separate URLs per user;  like Webex, the URLs could be emailed to anyone, and that list would be controlled external to the application.

I'm looking for suggestions on how I might prevent such users from reentering the meeting;  like IP address?

Any thoughts on this would be appreciated, including "very difficult" or "not possible".

Thanks!
0
Comment
Question by:codequest
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 83

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 800 total points
ID: 40512701
IP address is not really workable as you would have to know each users ip address and this would preclude them from accessing the session from elsewhere i.e. their laptop while on the road. for members of a domain they will all most likely have the same ip address and if you block 1 then you block all.

Since you have unique meeting id's and these meeting id's can be generated in a way that they don't follow a sequence then the meeting url can be the same but the meeting id would have to match the meeting url.  It would take a lot of hit or miss attempts to join the meeting with a made up meeting id.
0
 
LVL 2

Author Comment

by:codequest
ID: 40513528
Thanks for the response.  Let me chew on that for a bit.
0
 
LVL 13

Accepted Solution

by:
AngryBinary earned 1200 total points
ID: 40513652
In cases like this, I think of police tape. It doesn't actually keep anyone from physically entering any area, but it does send a message, most people abide, and you handle any outliers as they come.

I don't think there is an airtight solution for client identification without the installation of a plugin, but what may be the best imperfect option is just to set a unique cookie value for each user. Obviously not secure, as a user who has a meeting URL can still easily rejoin by clearing their cookies or switching browsers, but this would cover the most typical scenario.
0
 
LVL 2

Author Comment

by:codequest
ID: 40513682
Thanks for the input.  Police tape is a great metaphor.  Setting cookie value sounds like a good technical solution.  I'll look into that and post back when I have some better understanding.
0

Featured Post

Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently went through the process of creating a Calendar Control of events with the basis of using a database to keep track of the dates that are selectable, one requirement was to have the selected date pop-up in a simple lightbox.  At first this…
Problem Hi all,    While many today have fast Internet connection, there are many still who do not, or are connecting through devices with a slower connect, so light web pages and fast load times are still popular.    If your ASP.NET page …
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question