allow only one connection to the server at a time

[920506]

Hi all,

How to limit one computer can have only one connection with an ASP page program on the server.
The reason I asked this question is: a couple of times, users opened more than one asp program in the browser
at the same time, the session variables in one browser is picked up by another browser instance and two transactions data were mixed up all together.
Thank you.

Betty

 

[Sheco]

From the web server's perspective, all http requests that include the same session cookie are part of the same session.

From the browser's perspective, all requests to a particular server should include any cookies set by that server as long as they are not expired.

 

[920506]

Sheco,
I am not sure if I understand you correctly.
If I have set up a cookie called trxn_id(let's say it will expire 3 hours after the creation) in the program, if this cookie is not expired when I opened another browser, this cookie value will be picked up by another server program with the same cookie name, right?

If this is right, does that mean the session variable values in one program will be picked by another program with the same name too?

If so, what I want to do is check IP address of the client machine and write into database, when the server program is starting, check database to see if the client is connected, if so, stop running this program, does that sound dorable?

 

[travisbrown]

I think what Sheco is getting at is two browser windows will share the same cookie. You don't have two different sessions going; your asp app will just be in two different states.

Open up in IE and Firefox concurrently and you will have two different sessions.

 

[damber]

If so, what I want to do is check IP address of the client machine and write into database, when the server program is starting, check database to see if the client is connected, if so, stop running this program, does that sound dorable?

So, you want a lock on the process by IP address ?

This is possible in that when you start the process, check for an existing entry in a "lock table" which holds identifying info like IP and process name, date/time etc. If it exists then return an error telling the user the process has already started. If not then add and run the process - when finished remove the entry from the lock table. You'll have to have some sort of cleanup process in case an entry gets orphaned etc.

However... the problem is that some users use the same IP address (Many-To-One NAT) so you would lock out more than you intended.

If you use the session id then this could be a better way to resolve the matter of causing problems with running processes using that as the key.

Another way may be to use a transaction ID instead of the session ID for whatever it is your process does. You would then enable the user to run many transactions against their session id without them interfering with each other.

Difficult to know which would be best without knowing what your process is doing.

A smile is worth a thousand kind words. So smile, it's easy!

 

[travisbrown]

Damber's suggestion is a little easier if the app is on an intranet. There are various server variable identifiers you can use. AUTH_USER is another example.

His Transaction ID solution is a good idea.

 

[gbaughma]

AUTH_USER would be a good way to go....

You could drop AUTH_USER into a database when the user logs on.... making sure you clear it when they complete their transaction, etc.

Then, if they open another window, it would check the AUTH_USER against the one in the database, and if it exists, give them a message like "You already have a session open... you can <Override> or <Close>" (in case they don't complete the transaction and close the browser, you'd want them to be able to "unlock" themselves).



Just my 2¢

"In order to start solving a problem, one must first identify its owner." --Me
--Greg