In my asp.net application, with some Webex-like features, I have unauthenticated users who can join an interactive meeting via a URL, using an encrypted parameter that leads them to the correct meeting.
The URL is distributed via email. When the "participant" gets to the application and past the TOS acceptance, they enter a participant id string (name), which is verified for uniqueness (for the meeting).
I'm looking at one low-likelihood scenario where an unwanted person gets the URL and joins the meeting.
I've got a procedure that lists all the "participants" and provides a button to "remove" them. "Remove" deletes the participant's data records and causes that participant's window (on next polling event) to redirect to a page that says "Your participation has been cancelled". I uses window.location.replace so there's no immediate back button to get back into the session. If they do come back into the session the next polling event (every few seconds) will redirect them out again on the basis of not finding an participant record.
Right now there's nothing preventing that person from reentering the URL and using a different participant id name. I don't want to make separate URLs per user; like Webex, the URLs could be emailed to anyone, and that list would be controlled external to the application.
I'm looking for suggestions on how I might prevent such users from reentering the meeting; like IP address?
Any thoughts on this would be appreciated, including "very difficult" or "not possible".