[thelist] ASP Limit Logins

Matt Warden mwarden at gmail.com
Thu Sep 15 18:03:39 CDT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark A. MacInnes wrote:
> Hello,
> 
> I work for an information company that provides high-quality information
> to its subscribers. To get access to this information, they have to
> login. However, we have been experiencing some problems with subscribers
> sharing their details between colleagues so more than one person logs
> into the website using one account. We want to stop this and ensure that
> only one person uses the account at any one time. The account will be
> marked as Currently Active when someone has logged in and we will use a
> Cookie on the correctly logged in user's computer to ensure we don't
> tell the him. However, when that user stops using the site and doesn't
> log out properly, how is the best way to marke the account as Inactive.
> We can't wait for the cookie to die as that will stop the user from
> using another computer. Any suggestions?
> 
> By the way, the site runs on ASP with MS SQL.

Store in the cookie a unique id. Store this value also in the
database. With every request, do not only check that the cookie
exists, but check to see if the unique id in the cookie matches that
currently in the database for that user.

Each time a user with that username/pass logs in, update the key in
the database to the one you are storing in this user's cookie (this
will effectively expire the old key).

You could also add in IP checking as another layer, in case you are
afraid of the cookie being spoofed among those who are sharing
username/login info.

hth,

- --
Matt Warden
Miami University
Oxford, OH, USA
http://mattwarden.com


This email proudly and graciously contributes to entropy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDKf3LAQ0d4HGyPE8RAoKfAJ4uMVu7PcYIVUQXS5xy1+zarRh+bwCZAcru
sDd19cg+AMqhtSpBfUs9j1Q=
=tURz
-----END PGP SIGNATURE-----


More information about the thelist mailing list