Geek Answers Handbook

Limit the number of users accessing the ASP.NET web application

How to limit the number of users of a web application.

You can restrict the web application to handle only 20 users at a time. Our company sells applications based on a number of licenses, but we are not sure what behavior may be in the web application.

I saw some suggestions that you can mark the user account as "LoggedIn = True" when the user is logged in. Then, each new successful login attempt checks the number of entries "LoggedIn = True". If it exceeds the limit, the user is rejected.

How will unexpected input be handled in this case? What to do, if:

  • The user does not press the exit button and closes the browser
  • The browser crashes and the user has no way to log out
  • Interruptions in the network connection, electricity on the client is disconnected, etc. etc.

All of the above will still have the flag "LoggedIn = True" and contribute to the number of registered users. This may inadvertently block authenticated users.

I look more for ASP.NET solutions, if possible.

+7
licensing login
source share
3 answers

Assuming that your user authentication is somehow based on the session, then the answer to all your β€œunexpected” cases (which will actually be the norm - people can rarely exit web applications) will be that these user slots become free when the session time. Therefore, you need to explore patterns of use of your application. If you earn a lot of people in a few minutes, but no more, then a 30-minute session timeout will mean that very few people can actually use the application.

The main problem is that web applications are inherently disabled, so you cannot control what the user actually does between page requests. Usually you sell licenses for such an application for specific users (therefore, if a company buys 20 licenses, this will give them 20 usernames and passwords). Then, of course, you can prevent multiple logins using the same username and password, either by refusing a second login, or by deactivating the previous one (which is probably the best approach if someone really moved from one machine to another without logging out to one of the reasons that you outline).

+4
source share

The most common solution is an activity timer. You can assume that the active user will make at least one request within the "X" time - say, 5 minutes or so.

You can apply this by placing an asynchronous aynax-type request, initiated by a timer, which starts when the page loads. For example, if you assume that all active users will make at least 1 request every 5 minutes, then each page will request a blank (but not cache) page every 4 strong> minutes. Thus, while they have a browser window open, you will always have activity from this user. Again, this is handled by asynchronous requests, and not by any reload directive. This makes it completely transparent to the user.

As an added bonus, see if you can make this ajax request pull some useful information, and not just limit licensing restrictions.

+1
source share

As David points out, the main problem is to distinguish between idle users and users who leave your application.

A possible solution would be to keep the session timeout low (say, 1 or 2 minutes) and use the callback function to keep the session in standby for inactivity users. Then you can increase the counter in Session_Start and decrease it in Session_End and use it to track the number of active sessions. If the number of active sessions goes beyond your limit, you redirect the new user to a page that refuses the session and informs the user that you have too many visitors at the moment.

0
source share

More articles:


All Articles