Is it possible to find out if another user is logged in on a website using ASP.NET Forms Authentication?
User A sends User B a message.
if User B is logged on to the website, a popup should occur.
if not, it will go to the usual notification page.
How can I go about implementing this scenario?
Well, if you have a list of "active sessions" in your database, it should know if a users login is currently valid, about to run out, or inactive. If you have a script that is polling for messages, if a message is sent and it cant send, then the message goes to inbox, or, it shows on a screen.
Normally some session variable will have been set with, for example, the logged in user id. Check if that exists, and if so, they're logged in.
I haven't used Formsauthentication myself though, so am unable to be exact.
I'm doing this through the forms login and global.asax. If someone successfully is logged in, I add his/her username and session id in a dictionary in a application value, which is global accessible. If I get a Session_end in global.asax, I remove this entry.
Related
I want to display the start page of my web application in one way if the visiting user is authenticated in the AD and another way if the user is not.
I am able to distinguish users by checking their username using this: HttpContext.Current.User.Identity.Name
However, this only works after the user has tried to access a secured page and I want to know this when a user visist the public start page. Any ideas of how this can be done?
If you don't have Authentication you can't know which user is it. So I guess you can set cookie/localStorage for the next time he will get to the page.
OR
What I think will be preferable when using AD, you can provide sub domain for those users, so each time someone is coming from this sub domain you will know he is AD user.
I've created a asp.net mvc4 web site. I've implemented Form authentication also.
In this web site i want to block access to my web site client in a same time (if a client of my website is already open his or her account in a computer then that client can not get any permission to open that same website on the same time in other computer or any other browser of the same system).
I want to provide one paid service to user, and I don't want him to just share his username and password with many people to use my service simultaneously without paying for it. please help me soon
How can I implement this. do i need to maintain some login information in database or is there any built in tool available for this.
To my knowledge there is nothing built in, but you may be able to implement your own version of the ASP.NET authorization providers.
Upon successful login you would need to store the value of the FormsAuthenticationTicket in your database and associate it to your user record.
On every page load you would need to check the value of the ticket against the database record for that user. In case of mismatch the user would be logged out.
Using this approach if User A and User B were using the same credentials, User A was logged in and if User B then logged in, it would invalidate User A's session and they would not be able to view content at the same time. You could also log the activity when a session is overridden, along with IP address and User Agent to help you identify users that are sharing account details.
This feature is not built in.
I would add an "IsLoggedIn" bit column to my "User" table. Then you could check this column to see if the user should be allowed in.
The problem is going to be knowing when that flag should be set to false. It's easy enough to set the flag to false if the user clicks "logout" or in the "on session end" event, but I think you'll run in to cases where that's not good enough. For example, if a user logs in from a laptop and the laptop's battery fails, you aren't going to get any notification from the client that the user has left...
I think David has already given most of the idea (+1) , However for problems like closing browser without logging out, You can handle it in window.unload() event for setting the flag in your table .
I would like to develop a functionality in ASP.Net , by which if one user is logined and if any other user is try to login with the same username,the very first user who is already login should get a message that another user is trying to login by your username something like this.Please guide me how can i do this.
Thanks.
I had this same exact requirement. I had to make sure that user ID's were logged in from just one device at a time. When a user ID tried to log in to another device while still logged in to an existing device, it killed the session on their existing device while allowing them to log-in to the new device. I wrote up a solution on my original post on Stack Overflow:
When the same user ID is trying to log in on multiple devices, how do I kill the session on the other device?
I have this historic site that is inertly broken and is in the process of being replaced. how ever until the replace site it ready I have to maintain this site.
the Issue is I have a site that needs to know the group code of the logged in user. for example I have two groups Group1 and Group2.
on the login page by default the is simply .../login.aspx and that will store in the session (group = Group1) and if if the use goes to the log in page with .../login.aspx?group=Group2 then they have Group2 stored in the session instead.
the reason for why this was done this way was before my time by it is a very complex login screen for authentication and is needed to set the site up for multiple session variable.
saying this it means that replacing the log in page is not an option at this stage.
what I need to a way that when the session times out the user is directed back to the correct variation of the login page and also to remember the page that they were on so they can be returned to this page.
minimum solution is to have them redirected back to the correct login version, the taking back to the page they were on after resigning is only a "would like" feature.
can anyone point me in the right direction on how to do this, the on Session end event doesn't seem to work as the session is gone at that point so nothing to compare against.
If you can edit the login page, have it store in a cookie group1 or group2 after the login is successful. When the login page loads, check to see if your group cookie is present. If there is one, you can then do redirect to the appropriate login URL.
But you do have SessionID. In a db or other store associate the SessionID with the group.
HttpSessionState.SessionID Property
I don't think you will be able to do this.
As you stated, in the Session_End event (presumably you are using InProc session for this event to be fired) - there is no session to figure out which group the user was in. Even if you could get the session variables, there is no HttpContext in the Session_End event, as it occurs on server, without an Http Request - so you wont be able to redirect.
This event could fire with the site sitting at a screen at which point, Forms Authentication will redirect back to the login screen, or could occur long after the user has closed the browser.
Edit - More information needed
Are you using InProc session and Forms Authentication for the application?
If so, one possible solution is to create an HttpModule that could run before FormsAuthentication would recognise that the Session/Auth Cookie in the request had expired and redirected back to sign in.
As Blam said - if you store the info in another data store - you can get at this from the HttpModule, and do a custom redirect from there.
Be warned that the HttpModule would run for every request, so any Db calls etc could be a performance drain.
I'm designing a website (ASP.NET, c#), in which you can see the controls, but you can only use them after you've logged in (for example, you can see a list of games, but you can only place a bet after you've logged in, so if you try to place a bet when you are not logged in, the site should redirect you to the login page).
All said, my problem is this: How can you tell, if a certain user is logged in, BEFORE he types in his credentials?
He his not a user yet right? For me he is just someone that is browsing my website.
If the user is logged in then Request.IsAuthenticated is true. When the request is authenticated, the User.Identity.Name property is set to the user's username. Before the user is authenticated there is no way to tell who the user is. You can, via some javascript code, find out what that person types into your Username textbox, but until the password is validated, you can't be sure it is that user.
You need to research cookies and query the database based on cookie settings.
If someone has not logged into your site ever before, there is no way to tell whether he/she is a a user. The most widely used authentication mechanism for ASP.NET is Forms authentication which returns an authentication cookie to the user's browser which subsequently accompanies all requests by that user so it can be used to track who that user is and that he is authenticated for the current session (also see "Understanding the Forms Authentication Ticket and Cookie").
You could use a separate, long lived cookie to just identify the user's name which then would be (usually) also available after the user has logged out. When that person visits your site you can at least use the name to remind him/her to log in.