?
Solved

asp.net, deter unauthenticated "cancelled" users from reentering the application

Posted on 2014-12-21
4
Medium Priority
?
107 Views
Last Modified: 2015-01-06
In my asp.net application, with some Webex-like features,  I have unauthenticated users who can join an interactive meeting via a URL, using an encrypted parameter that leads them to the correct meeting.  

The URL is distributed via email.   When the "participant" gets to the application and past the TOS acceptance, they enter a participant id string (name), which is verified for uniqueness (for the meeting).

I'm looking at one low-likelihood scenario where an unwanted person gets the URL and joins the meeting.

I've got a procedure that lists all the "participants" and provides a button to "remove" them.  "Remove" deletes the participant's data records and causes that participant's window (on next polling event) to redirect to a page that says "Your participation has been cancelled".  I uses window.location.replace so there's no immediate back button to get back into the session.  If they do come back into the session the next polling event (every few seconds) will redirect them out again on the basis of not finding an participant record.

Right now there's nothing preventing that person from reentering the URL and using a different participant id name.  I don't want to make separate URLs per user;  like Webex, the URLs could be emailed to anyone, and that list would be controlled external to the application.

I'm looking for suggestions on how I might prevent such users from reentering the meeting;  like IP address?

Any thoughts on this would be appreciated, including "very difficult" or "not possible".

Thanks!
0
Comment
Question by:codequest
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 82

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 800 total points
ID: 40512701
IP address is not really workable as you would have to know each users ip address and this would preclude them from accessing the session from elsewhere i.e. their laptop while on the road. for members of a domain they will all most likely have the same ip address and if you block 1 then you block all.

Since you have unique meeting id's and these meeting id's can be generated in a way that they don't follow a sequence then the meeting url can be the same but the meeting id would have to match the meeting url.  It would take a lot of hit or miss attempts to join the meeting with a made up meeting id.
0
 
LVL 2

Author Comment

by:codequest
ID: 40513528
Thanks for the response.  Let me chew on that for a bit.
0
 
LVL 13

Accepted Solution

by:
AngryBinary earned 1200 total points
ID: 40513652
In cases like this, I think of police tape. It doesn't actually keep anyone from physically entering any area, but it does send a message, most people abide, and you handle any outliers as they come.

I don't think there is an airtight solution for client identification without the installation of a plugin, but what may be the best imperfect option is just to set a unique cookie value for each user. Obviously not secure, as a user who has a meeting URL can still easily rejoin by clearing their cookies or switching browsers, but this would cover the most typical scenario.
0
 
LVL 2

Author Comment

by:codequest
ID: 40513682
Thanks for the input.  Police tape is a great metaphor.  Setting cookie value sounds like a good technical solution.  I'll look into that and post back when I have some better understanding.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today is the age of broadband.  More and more people are going this route determined to experience the web and it’s multitude of services as quickly and painlessly as possible. Coupled with the move to broadband, people are experiencing the web via …
User art_snob (http://www.experts-exchange.com/M_6114203.html) encountered strange behavior of Android Web browser on his Mobile Web site. It took a while to find the true cause. It happens so, that the Android Web browser (at least up to OS ver. 2.…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question