Solved

asp.net, deter unauthenticated "cancelled" users from reentering the application

Posted on 2014-12-21
4
98 Views
Last Modified: 2015-01-06
In my asp.net application, with some Webex-like features,  I have unauthenticated users who can join an interactive meeting via a URL, using an encrypted parameter that leads them to the correct meeting.  

The URL is distributed via email.   When the "participant" gets to the application and past the TOS acceptance, they enter a participant id string (name), which is verified for uniqueness (for the meeting).

I'm looking at one low-likelihood scenario where an unwanted person gets the URL and joins the meeting.

I've got a procedure that lists all the "participants" and provides a button to "remove" them.  "Remove" deletes the participant's data records and causes that participant's window (on next polling event) to redirect to a page that says "Your participation has been cancelled".  I uses window.location.replace so there's no immediate back button to get back into the session.  If they do come back into the session the next polling event (every few seconds) will redirect them out again on the basis of not finding an participant record.

Right now there's nothing preventing that person from reentering the URL and using a different participant id name.  I don't want to make separate URLs per user;  like Webex, the URLs could be emailed to anyone, and that list would be controlled external to the application.

I'm looking for suggestions on how I might prevent such users from reentering the meeting;  like IP address?

Any thoughts on this would be appreciated, including "very difficult" or "not possible".

Thanks!
0
Comment
Question by:codequest
  • 2
4 Comments
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 200 total points
ID: 40512701
IP address is not really workable as you would have to know each users ip address and this would preclude them from accessing the session from elsewhere i.e. their laptop while on the road. for members of a domain they will all most likely have the same ip address and if you block 1 then you block all.

Since you have unique meeting id's and these meeting id's can be generated in a way that they don't follow a sequence then the meeting url can be the same but the meeting id would have to match the meeting url.  It would take a lot of hit or miss attempts to join the meeting with a made up meeting id.
0
 
LVL 2

Author Comment

by:codequest
ID: 40513528
Thanks for the response.  Let me chew on that for a bit.
0
 
LVL 13

Accepted Solution

by:
AngryBinary earned 300 total points
ID: 40513652
In cases like this, I think of police tape. It doesn't actually keep anyone from physically entering any area, but it does send a message, most people abide, and you handle any outliers as they come.

I don't think there is an airtight solution for client identification without the installation of a plugin, but what may be the best imperfect option is just to set a unique cookie value for each user. Obviously not secure, as a user who has a meeting URL can still easily rejoin by clearing their cookies or switching browsers, but this would cover the most typical scenario.
0
 
LVL 2

Author Comment

by:codequest
ID: 40513682
Thanks for the input.  Police tape is a great metaphor.  Setting cookie value sounds like a good technical solution.  I'll look into that and post back when I have some better understanding.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

In this Article, I will provide a few tips in problem and solution manner. Opening an ASPX page in Visual studio 2003 is very slow. To make it fast, please do follow below steps:   Open the Solution/Project. Right click the ASPX file to b…
Today is the age of broadband.  More and more people are going this route determined to experience the web and it’s multitude of services as quickly and painlessly as possible. Coupled with the move to broadband, people are experiencing the web via …
This video discusses moving either the default database or any database to a new volume.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now