1

The Setup:

Account controller with the typical logon / logoff stuff that comes baked in from the template. Not much modification here on the logon page. Using a custom membership provider (SQL), but I don't think that is impacting what I am trying to do here.

The Requirements:

The client wants to handle licensing by limiting concurrent users and not by total users. So, after referencing this post here, I set out to make this work for what I need to do. And that is to track maximum and current users for each organization that has signed up for our application. No problem, just have an application("max") and application ("current") which are both hashtables with the key being the organization id and the value being current or max users for the organization. On Session_Start, I would increment the current users, check if it exceeds max and either a) redirect to an error page or b) let them go on with what they need to do. On Session_End, I would decrement the count.

The Problem:

When using formsService.signIn, what is actually stored in session? I cannot seem to gather any information about my session in the session_start except for the session ID. So, I cannot increment the correct number for user tracking. And I cannot add a variable to session as session_start will have already fired before I get the opportunity.

Improve this question
2
  • IMO, it's almost impossible to find the concurrent users of a website. Once a page is loaded a webserver doesn't have any indication that the user is still on the website. Commented Jul 27, 2010 at 13:45
  • You know, I am of that mindset as well and put up a pretty good argument against it (cannot be sure of correct counts, prevent ppl from doing work even if they have an account, etc) but at the end of the day, I don't pay my own invoices :/ Commented Jul 27, 2010 at 14:10

1 Answer 1

Reset to default
1

The notion that session is somehow connected with authentication is a myth. They are entirely independent of each other. Session can even be shared between multiple users if they happen to share their session key; that's why you never put security-sensitive info in session. Session can also expire while you're logged in. Likewise, your session is still active after logout unless you explicitly abandon it.

Session is more like a user-specific cache.

So you need to accept this fact and adapt to it. Look and see if the current user is authenticated during session start. You'll need to increment during logon as well, since the session will have already started. Etc.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Yeah, just kind of figured that out. I have moved to keeping a 'temporary' table in the DB that tracks current and max for each organization and tied the increment/decrement to the login/logout actions within the repository. Can do my checks right from those actions and not have to worry about all the fun implications of sessions. I just always assumed that when you logged in, you had a session that said who you were. Wouldn't be doing my job if I didn't learn something everyday! Thx.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.