Prevent double login

[Wagner]

Hello,

I created web application protected by Forms Authentication.

I'll describe it in short:
User logs in, variable Application("LastAccessTime" & UserId) is written to
Application State then is retrieved aspx page with client-side script which
pools web service every x seconds (protected by the same security) and
displays retrieved xml data using dhtml.
With every web service request Application("LastAccessTime" & UserId) is
changed to current time.
If there is no request for 30 seconds user is considered logged out, web
service won't respond with data and user can (must) login again with the
same username.
Variable "UserId" is stored in Session object.
Anybody who would try to login again with same username would be rejected
since Application("LastAccessTime" & UserId) has current time meaning the
user is active.
After timeout period of 30 seconds username is again available.

I created this solution but it is not robust enough since variables stored
in Session and Application are frequently lost on ISP's web server.

Is there any better and more stable solution?

[Svein Terje Gaup]

You would get a more stable solution by storing the UserID plus
LastAccessTime in a database table (or possibly in a DataSet persisted to a
file). This of course would induce an extra overhead for updating the
db/dataset once per request, but still, it would probably be more stable
since data would not get erased by the ISP restarting the webservice on the
server.

By the way, why don't you set Session.Timeout at first logon in stead of
maintaining your time-slot manually in the Application object?

Sincerely
Svein Terje Gaup

"Wagner" <wagner@email.t-com.hr> wrote in message
news:1739nlc550nzh$.1s502j9979xyd.dlg@40tude.net.. .

> Hello,
>
> I created web application protected by Forms Authentication.
>
> I'll describe it in short:
> User logs in, variable Application("LastAccessTime" & UserId) is written
> to
> Application State then is retrieved aspx page with client-side script
> which
> pools web service every x seconds (protected by the same security) and
> displays retrieved xml data using dhtml.
> With every web service request Application("LastAccessTime" & UserId) is
> changed to current time.
> If there is no request for 30 seconds user is considered logged out, web
> service won't respond with data and user can (must) login again with the
> same username.
> Variable "UserId" is stored in Session object.
> Anybody who would try to login again with same username would be rejected
> since Application("LastAccessTime" & UserId) has current time meaning the
> user is active.
> After timeout period of 30 seconds username is again available.
>
> I created this solution but it is not robust enough since variables stored
> in Session and Application are frequently lost on ISP's web server.
>
> Is there any better and more stable solution?