Situation:
I'm creating some kind of website that let users comment and like on posts. There are two types of users, users with user name and password (type 1) and guest (type 2).
For type 1, data will be stored with the keys are their login credentials. By this an user can't like a content multiple times (next time, loading the page, they will see the "Unlike" button)
Type 2, I'm using IP for differentiate between users. But, IP is changeable by time (since normally, IPs are dynamic).
Notes: Needed to be implementable with C#, ASP .Net.
I can't use session variable, because it will be destroyed after closing the browser.
About cookie, cookie is nowadays so easy to be deleted, this will be my worst way for implementing (in case there is no other).
Question:
Is there any ways to generate unique id for a client (a PC/smart device), so first time if you use a PC to view the post X on page, you like it, next time (even after you close your browser) page can identify you then change button to "Unlike".
There is no reliable way to do this. For example, what if a user opens the site on his laptop, then his mobile, then his tablet? You cannot prevent each of those devices being registered as a different guest. The only solution is to make people log in and only allow read access to anonymous guests.
There are two ways of handling this.A) Get the Unique Device Identifier (UDID) and store it on your server.
B) Generate a Universally Unique Identifier (UUID) and store it on both the device and your server.
With the first method, you don't store a UUID on the device, so you both save space (bytes worth of data, but still) an the user can't change the ID without reinstalling the OS. But, it would be highly platform dependent.
With the second method, you use the System.Guid.newGuid() method and save the resulting UUID to a cookie on the browser.
Then you either read the data off the cookie or get device UDID and compare it to your database.
But, this wouldn't keep the user from accessing the website from different devices. The best method would be to ask the user to sign in (But PLEASE be careful with password security as people generally use the same password across services).
Hope I helped :)
Related
I have list of products in the database that I show in the GridView. Each row in the Grid has a text box and Button along with Name and description of the product. The button is used to send the comment for that specific button. Everything works fine now I want to limit the comment once per session. So a user will be able to send comment for a product and then button will be disabled. Now the products count can be 10 or 1000. What will be the best and efficient approach to achieve this. Should I save the product id and session id in the Session or in database or there can be some other easy way.
I haven't mentioned any code because I am just asking for best possible way to achieve the task.
let's understand the meaning of your suggestions:
using a session:
you are opening a session key at your server and map a list of id's which already had commented. you can match a specific product against this session and determine if the product can be commented or not.
pros: very elegant and easy to maintence solution
cons: a user which request your website (say from another browser) will be able to comment product since the session is per connection and not per user
using a database:
same as session, only the data is durable because it is stored by the database.
pros: full control whenever users are able to comment a product or not
cons: must identify each user with unique key (like id) and store that information in the db as well
other alternatives:
cookie on client side - setting up a cookie that will store the information. pros: each machine saves it's own cookies (not the server) cons: each cookie need to identify the user (or else several users on the same machine will be blocked). cookies can be cleaned
local storage on client side - same as cookie for that matter
so it semms you will need to work for it a little bit.. or else the functionallity will be problematic in some scenarios
I have to implement advanced login mechanism in my ASP.NET MVC web site that is: users should be logged in with username and password only from one machine (the one that was used when the first time registered and logged in the application).
I was thinking about getting the client Hard Drive serial number ? Is this possible?
If not, can someone suggest me a solution to this problem.
Thanks in advance,
Igor
I don't think you can access unique PC identifiers, other than your browser. Check panopticlick browser uniqueness research.
Aside from that, I don't get the requirement to limit website access to the first used machine. It is not uncommon to used different devices these days (desktop, laptop, tablet, phone)
Even if it were possible, limiting your user to only using the machine they first logged in with would be a really bad design decision. What happens if their computer fails, and they need to get a new one, or replace some hardware? Remember when Microsoft Office used to make you re-activate every time you made a change to your computer's hardware? No one wants that. Aside from that, users use a wide variety of devices... a desktop at home, a laptop at a cafe, an iPhone on the road.
Using javascript, it is more or less possible to uniquely identify a browser, but that still would be subject to change, and the eventual locking out of legitimate users.
If you want to make sure a user is looged in on one device at a time that's a much more reasonable requirement. All you'd have to do in that case (I'm over simplifying a bit) is maintain a table of currently logged in users, and then reject subsequent login attempts for that user if they're already logged in.
I have webservice which uses ASMX webmethod etc (I know, outdated), it is used to supply mobile devices with data for their apps.
Right now, users can login on any device at any time, as many times as they want. To make this product compatible with a new licensing model, we want to restrict users in logging in to multiple devices.
A user should only be able to be logged in at one device at a time.
I thought of the following solution: save the mobile device identifier last used in a request, and the time of the request in the database. If a user tries to login (within ~10 minutes) from another mobile device identifier -> login fails.
My problem: in which method do I put this code. I want to prevent duplicate code as much as possible.
I have 4 .asmx files with API's, I could put the code in the constructors of all the classes, but I'd rather not. Is there not some "Request_Start" that already has access to GET/POST parameters?
Please refer to:
When the same user ID is trying to log in on multiple devices, how do I kill the session on the other device?
I understand you're asking about ASMX, but I believe this will be a good starting point for you.
I had this same exact requirement, and came up with a pretty slick solution, demonstrated in the link above. In a nutshell, my requirement was to only have one user log-in happening at one time. If that same user ID tried to log in elsewhere, then it killed the session for the first log-in by checking for an existing log-in under a different Session ID (this enabled the user ID to be logged in from multiple instances of their web browser on their computer [same Session ID], which is common, but not from a different computer [different Session ID] (possibly due to someone that stole their credentials, for example)). Through modification of the code you could probably change the behavior of this - i.e., prevent the second log-in attempt instead of killing the first log-in that's already active and in use.
Of course, it may not fit 100% to what you're needing, so feel free to modify it to fit your needs.
I have developed application which supports trial mode. But now I need let some users to get full via activation code. Scenario is user downloads trial application and he can enter activation code for the app and then user can use full features of the app.
Can anyone please suggest me a way to do this.
You need to think about how you will authenticate the code - I'm guessing that you don't want them to authenticate the code via the store so you will have to provide some backend service to do this.
The service will obviously require the activation code to be sent to it (you should store this in the remotesettings), and you might perhaps want a device unique ID sent to - you can use the unique id for this.
Your service should then validate how many times it has seen the code, and if it's happy it should hash the code, the device ID, and a secret shared with your application - this will need to be embedded inside your app code.
For additional privacy for the user I would advice hashing the device unique ID with the shared secret before sending it to the server.
You need to store the returned activation code inside your app - and there isn't a lot of choice - I would personally store this code in the LocalSettings area.
Now on startup you need to verify that the stored activation code is valid. If you have an internet connection then you can do this by asking the service if the code is valid, but you must make an arrangement for offline checking. This is simple enough as the activation code, plus the hashed device ID hashed against the shared secret should equal the stored activation code - depending on your type of application you might want to only allow 5 activations this way before requiring internet access (pick a high number as this could really annoy users)
Finally you need to consider users that have multiple devices - according to the store you can have 5 installs of the same application, for the same users, across different devices. To accommodate this we have stored the activation code in remotesettings, so on startup check if the code exists, and if it does automatically send the code and the device id to your service for activation.
The only other thing you need to consider is how on earth do you secure the shared secret in your application? Unfortunately there aren't many options for this. It really depends on how secure your app need to be. If you are totally paranoid then obfuscate your code, but this just buys time. If you need more than that then I suggest you send the device code, hashed with a cryptographically random nonce to your service, this will return back what you sent, but hashed with the secret. Unfortunately this will make offline validation of the activation token impossible, so you will have to build in a grace period where internet connection is not required.
Or you could use in app purchases.
I've next problem:
I need create unique user key based on user's information what I can receive from user's request to my web-page (ASP.NET).
I'll use this key for auto-login functionality (I know about cookie ^^)
What kind of information I can use?
Can anybody help me?
If you are creating the key yourself then use one of .NET's integral types (int or long tend to be the most commonly used) or a Guid.
If you are using user-supplied data then use something like an email address that is unique to the user.
A good idea would be to concatenate some text part from the user's information (eg: name) with an autoincremented number. This way the key would be alphanumeric and at the same time unique.
The question is not clear, imho. What is the environment of your site (intranet/Internet, open/closed registration etc.)?
Do you need to just "recognize" a user who comes back to your site after some time?
In this case, cookie with a GUID is probably just fine.
Or do you want to "recognize" users (from a previously known list) without them typing anything at all?
Then, a proper solution is to use either integrated authentication (provided that the users are in the domain, that is, your site must be intranet-only) or HTTPS with client authentication using SSL certificates (works for Internet as well).