3

I have a need to be able to identify one system from another in ASP.Net using anything available in HttpContext. I've attempted to use many of the ServerVariables available, but often the systems are configured from a drive built off of an image. So, because of the firewall their IP address is the same and all of their ServerVariables (browseragent, logonuser) are the same, I need to find something else that will tell different machines apart. Since the site is secured with formsauthentication, Windows Integrated Authentication must be turned off (otherwise i'd have access to different Logon_User values).

I'm not married to HttpContext, but it seems to me the only way to use code to retrieve identifiable user information.

EDIT/UPDATE:

@Robert Harvey provided a couple of seach links that brought up a lot of results, most of which don't fit my bill for one reason or another (although there is still a couple of great ideas in there that I hadn't thought of before). Primarily I need to be able to identify if someone has switched machines behind a firewall. So I'll provide some code structure details that will shed some light on why certain things don't work for me.

  1. Sessions/Cookies are persistent until midnight (decision made way over my head, I live with it)
  2. The authenticated user does not use a MembershipUser class. (even if it did, MembershipUser.IsOnline would offer me nothing more than a previously logged in user)
  3. Users are known to delete cookies or close browsers without logging off
  4. I need some criteria that can tell one machine from another not necessarily to prevent concurrent logins, but at least to identify them.
Joel Etherton
  • 37,325
  • 10
  • 89
  • 104
  • 1
    Seems to me like you could drop a cookie with a GUID on the machine the first time the user accesses the site from that machine. Of course, the user can always delete cookies. What sort of functionality does this identification enable? – Robert Harvey Jul 13 '10 at 14:39
  • What do you mean by 'footprint'? – PhilPursglove Jul 13 '10 at 14:42
  • @Robert Harvey - presumably it would prevent a single user from using multiple machines to login to the site simultaneously, and it would also help identify when a user has switched machines if there is still an active session available. – Joel Etherton Jul 13 '10 at 14:42
  • @PhilPursglove - Identifying some basic common characteristic of a machine that could be attached to a user authentication. User X logs on with PC Y. User X then logs into PC Z. I need to identify this state. Currently if 2 machines have the same configuration and are behind a firewall, they look identical to the server. – Joel Etherton Jul 13 '10 at 14:44
  • SO has [many answers to the "single user login" question.](http://www.google.com/search?hl=en&source=hp&q=prevent+user+from+logging+in+multiple+machines+asp.net+site%3Astackoverflow.com) – Robert Harvey Jul 13 '10 at 14:45
  • @Robert Harvey - I looked on google and SO and found nothing. Likely my search criteria are using the wrong words. If you have link suggestions, I'm ready to read anything put forth. – Joel Etherton Jul 13 '10 at 14:46
  • See here: http://www.google.com/search?hl=en&source=hp&q=prevent+user+from+logging+in+multiple+machines+asp.net+site%3Astackoverflow.com – Robert Harvey Jul 13 '10 at 14:46
  • Does a firewall mask the `HttpRequest.UserHostName` property also? – PhilPursglove Jul 13 '10 at 14:57
  • @PhilPursglove - it doesn't filter it, but in many cases it simply returns the IP address. – Joel Etherton Jul 13 '10 at 15:05

2 Answers2

0

Generate a guid when they login and store it in a cookie and against the user record in the database.

Compare this on each request if it doesnt match you have a concurrent login.

To be clear this cookie is a session cookie like forms authentication if they delete it they will get logged out anyway.

bleevo
  • 1,637
  • 2
  • 18
  • 30
  • 1
    This doesn't address the identification of the machine itself. This solution would treat each login as a separate machine login. My question specifically requires that the machine be identified. – Joel Etherton Jul 18 '10 at 02:00
  • If the users are behind NAT this is impossible, to achieve what you are asking would have to also work if users used different browsers. Interesting question I will think more. – bleevo Jul 18 '10 at 02:12
  • If you could simplify the problem some I could help, if you only want to track the same machine, same login, same browser this can be done. Just have a page that returns a guid and set the caching of this page to a year, again this isnt much different to a cookie but it would persist until the user deleted their cache. Apart from that or the same thing using a cookie what you are asking is impossible. – bleevo Jul 18 '10 at 02:17
0

This is a self-answer. I ran across Browser Spy, and while it doesn't address the specifics of how to do this, it does indicate that it is possible through a combination of these items to uniquely identify a specific system with a minimal margin of error.

Joel Etherton
  • 37,325
  • 10
  • 89
  • 104