Link to home
Start Free TrialLog in
Avatar of Nordin Kadir
Nordin Kadir

asked on

Is there any way to limit concurrent connection in IIS7?

Hi all,
I'm new to IIS7. I was task to setup a simple Directory Browsing page using AD authentication. That was done successfully.
Now, the problem is, same user is able to do multiple sign on to the page. Is there any way to avoid that and ensure a user only able to login once, and if they they to login again, the need to close the first session?
I'm using IIS7 on Windows Server 2008 R2 Server.
Thanks in advance for all your help.
ASKER CERTIFIED SOLUTION
Avatar of Dan McFadden
Dan McFadden
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Nordin Kadir
Nordin Kadir

ASKER

Thanks Dan for your reply.
If IIS7 by itself cannot manage same user multiple session, can you suggest what should I do or use (preferably free programming or tools) to control the login for directory browsing?
I have no recommendation other than to code an aspx page that performs similar functionality as the directory browsing feature function and code in the Authentication process and session management.

1. My question would be what it is that you are trying to accomplish by enabling directory browsing?
2. Why are you worried about containing 1 user to 1 http connection?

You could also WedDAV enable the directory and then mount the WebDAV path as a local drive.

Link:  http://www.yeehawup.com/2011/07/mapping-a-network-drive-to-webdav-share-in-windows-7/

But you will still see multiple logins from a single account.  Its just nature of a stateless http connection.

Dan
To answer the question:
1. I'm running an SSIS processing where it will produce report files in the specific path. Therefore, the directory browsing will point to that path so that users will able to grab the report and download to their PC.
2. Company security policy does not allow multiple login by same user. It also a compliant requirement where we must comply.
Dan,
Can you show me if there exist an example somewhere how to code the aspx for this purpose.
BTW, I'll try to study the WebDAV also.
OK, I understand the functionality for this... but why use a web site and not a share?  This eliminates the multiple logon issue.

In reference to your point #2... if you have a security policy that forbids multiple logons from a single account, then using IIS (over the HTTP(s) protocol) to deliver these reports, in the configuration that you current setup, would also be forbidden since you can not prevent multiple logins from a single user without building an app to control access and contiguous sessions.

And you will need to verify in your compliance policy what constitutes a "multiple login from a single user."

1. does this login mean when a user must manually enter credentials?
2. does the the combination of (for example) Windows and IE, which can pass/send the logged in user's credentials thru to a web application, violate the compliance policy?
3. does the policy indicate that multiple data connections are to be considered multiple logins?
3a. if so, this will cause issues everywhere in your network
3b. modern browsers open multiple data channels to web sites by default.  IE opens 3 and the setting is configurable (I use 10).
3c. BTW, a session is built after the authentication/authorization process has occurred.  multiple sessions/data channels does not necessarily constitute multiple logins.  * FTP Clients do the same thing *
3d.  if multiple sessions are considered multiple logins, every browser accessing any web site (internal or external) is in violation of this policy as well as probably many other applications
4. does this policy indicate the required level of security something like a web application, must implement?  SSL? Authentication?  Authorization? Logging? Auditing?

Unfortunately, it is not a simple solution to implementation.

As for example code and how to code... that is a larger request.  There will also not be much in terms of "cut & paste" code.  Plus the code would have to comply with this compliance policy.  If we are talking HIPAA style compliance, you'll need a developer to build the functionality.  And someone to preform an audit to verify compliance.

Dan
I admit that with plain IIS for Directory Browsing, there's no way to control the multiple login session rather that to setup a new web/app to control that.
Looking for another way.
Thanks Dan for your help.