0

We are using anonymous identification in asp.net. Anonymous identification creates cookie whenever user lands on our application first time. according to the value of cookie we identify our user and made our business check whenever user lands on our application. It works fine with one cookie/user/anonymous user at a time.

Now i want two parallel anonymous user in one browser at a time. Can you please help me regarding this? How can i do that in Asp.NET MVC? How will I manage two cookies at a time?

let suppose two tabs are open in browser so it mean two user are present. How will system behave when user enters same URL in 3rd tab?

Fahad Farooqi
  • 117
  • 1
  • 2
  • 14
  • 3
    This is a *very uncommon* use case, so you're unlikely to find any out-of-the-box solution. Two people sitting at the same workstation using the same browser is... strange. A simple workaround would be for those two users to use different browsers. – David May 29 '18 at 13:13
  • 1
    tabs do share context withing the same browser, so there is no straight way to achieve this. You should do private browsing and open a second instance to avoid sharing the data (cookies). – Cleptus May 29 '18 at 13:19
  • What you are looking at doing here is using Cookieless Sessions. This is no longer supported in MVC, are you able to use standard ASP.NET instead? https://www.c-sharpcorner.com/UploadFile/deepak.sharma00/using-cookie-less-session-in-Asp-Net/ – TheSoftwareJedi May 29 '18 at 13:31
  • "let suppose two tabs are open in browser so it mean two user are present"...two users shouldn't even share the same login account on the physical computer, let alone the same browser session. The assumption is that this is the same user with two windows open, not two separate users. If this is what the users are doing, they're doing it wrong. If they're doing it on a company computer, they're probably breaching that company's usage and security policy, and could be fired. – ADyson May 29 '18 at 14:28
  • @ADyson This question represents a unique problem with possible solutions. Saying "you're doing it wrong" is merely a cop out for not solving the problem. Enterprises in particular have some very strange requirements at times requiring very annoying, but needed solutions. I do not believe that this question should be closed. – TheSoftwareJedi May 29 '18 at 15:40
  • @TheSoftwareJedi Perhaps you've worked in some different places, but all the enterprises I've ever worked in or with would be appalled at the idea that two users are sharing the same workstation login ID (which they must be, if they're sharing a browser session). It would be considered a serious IT security breach. Therefore they'd never consider designing their applications to support such a scenario. I also fail to see what scenario there is, even in non-corporate environments, which can't be solved by simply opening a new browser session without the need for any unconventional workarounds. – ADyson May 29 '18 at 16:01
  • @TheSoftwareJedi ...cont'd. Some things are best solved with user training rather than alterations to software, especially unconventional alterations which go against established norms and expectations, and are designed to work around an issue which needn't/shouldn't exist. Not everything is technical problem. – ADyson May 29 '18 at 16:02
  • @ADyson I'm not opposed to guiding people in a better direction, but when the requirement is to handle it this way and can't be changed I look to answer with a solution in addition to that guidance. I personally have not come across this scenario, but can imagine it in some wacky run retail situations. Another example of a really crappy requirement, but one that was needed is here: https://stackoverflow.com/questions/299198/implement-c-sharp-generic-timeout/299273#299273 – TheSoftwareJedi May 29 '18 at 16:21
  • @TheSoftwareJedi I take your point but equally I don't see anywhere here where it's been stated that the requirement or the situation can't be changed. Personally I don't see much point in answering questions when the idea is fundamentally a bad one, as it just encourages people to do it anyway without worrying about the overall consequences. You're welcome to differ though, as I see you have done. I agree that it being a bad idea isn't a reason to close the question, there's no category for it on SO, but people seem to be voting it as too broad, which it arguably is. – ADyson May 30 '18 at 06:09

1 Answers1

0

Note: This is a bad idea, and users sharing a browser session seems really fishy to me. You could also use Chrome named users or an incognito session, or different browsers. However, I will present a solution assuming that the strange requirement stands.

You are looking for cookieless sessions. Add this to your web.config in the system.web section:

<sessionState cookieless="UseUri" regenerateExpiredSessionId="true" />

Note that you may find that this is not officially supported anymore in MVC, but does work in many cases. It worked in my simple test.

This will use the URL as the session identifier with each user getting a unique session upon hitting the site without a session in the URL. This is not secure at all because users like to share links and in this case they will be sharing a link to their session.

For your case, this may be sufficient.

More info here.

TheSoftwareJedi
  • 34,421
  • 21
  • 109
  • 151