Home > Archive > ASP > August 2005 > How to do single sign on function
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
How to do single sign on function
|
|
|
| i need when a user is logged in, his or her account is locked and no other
ppl can login by using these account.
| |
| Aaron Bertrand [SQL Server MVP] 2005-08-15, 8:59 am |
| How is a user authenticated? Using a database? So mark his row as
"LoggedIn" and if the same user tries to log in during that time, refuse
them.
The danger is, how do you "clean up" these LoggedIn values if the user
doesn't purposely log out, e.g. trips on his power cord, or lets his session
time out, navigates to another web site, or just closes his browser?
"榮少@公司" <榮少@整餅.私人公司> wrote in message
news:%23jBCgSVoFHA.3984@TK2MSFTNGP10.phx.gbl...
>i need when a user is logged in, his or her account is locked and no other
> ppl can login by using these account.
>
>
>
| |
|
| Yes Aaron
That's what i concern now. I am using database, however, I am no idea on the
"clean up" the field values if user logged out in not general procedure....
Can I using session_onend in global.asa?
or write some stored procedure or function inside sql server and run it
scheduly?
Thanks
"Aaron Bertrand [SQL Server MVP]" <ten.xoc@dnartreb.noraa> wrote in message
news:%237z6KKZoFHA.1464@TK2MSFTNGP14.phx.gbl...
> How is a user authenticated? Using a database? So mark his row as
> "LoggedIn" and if the same user tries to log in during that time, refuse
> them.
>
> The danger is, how do you "clean up" these LoggedIn values if the user
> doesn't purposely log out, e.g. trips on his power cord, or lets his
session
> time out, navigates to another web site, or just closes his browser?
>
>
>
>
>
> "榮少@公司" <榮少@整餅.私人公司> wrote in message
> news:%23jBCgSVoFHA.3984@TK2MSFTNGP10.phx.gbl...
other[color=darkred]
>
>
| |
|
| > That's what i concern now. I am using database, however, I am no idea on the
> "clean up" the field values if user logged out in not general procedure....
> Can I using session_onend in global.asa?
> or write some stored procedure or function inside sql server and run it
> scheduly?
Hi there,
In addition to the 'is_loggedin' attribute, you can add a 'last_request' datetime
value. Each time the user sends a request to the server, this field is updated.
Regularly, from example every 20 minutes, simply run a background check to
detect who didn't send any request during the last timeout delay. You'll know
who didn't click the 'Logoff' button and if you've time enough to lose, you can
even send a tip "how to quit" to those users ; )
About the persistence mechanism... I suggested a database but if you could
also store it in a simple Application wide variable, as this information is clearly
designed to be reset after an application start.
Antonio
| |
| PJones 2005-08-20, 6:55 pm |
| www.aspprotect.com
can do that... and it cleans up
"榮少@公司" <榮少@整餅.私人公司> wrote in message
news:%23jBCgSVoFHA.3984@TK2MSFTNGP10.phx.gbl...
>i need when a user is logged in, his or her account is locked and no other
> ppl can login by using these account.
>
>
>
| |
|
| > i need when a user is logged in, his or her account is locked and no other
> ppl can login by using these account.
I forgot to mention : what you want is not called single sign on. SSO is the
mechanism which allows you to access resources located in different places
or under different systems through a single authentication process.
Example of a SSO mechanism:
- corporate user authenticates through AD/W2k login screen
- he/she has access to the collaborative intranet portal without
needing to log in a second time, although he's browsing the service
through his windows identity.
What you're looking for is a measure to prevent "session hijacking" or
attacks.
Hope it will help you if you try googling around ; )
Antonio
| |
| larrybud2002@yahoo.com 2005-08-23, 6:55 pm |
|
=BAa=A4=D6@=A4=BD=A5q wrote:
> i need when a user is logged in, his or her account is locked and no other
> ppl can login by using these account.
What I do on our intranet applications is keep the session ID of the
LAST logged in session for a particular ID in a database, and check to
see if it matches each time a page refreshes. If it doesn't match, I
redirect them to the login page.
So basically, whatever session that logged in last wins, so I user
could go from terminal to terminal and still log in under his account.
|
|
|
|
|