DAF 4.X: Concurrent Access Control Settings

Concurrent Access Control Settings

Overview

The purpose of this feature is to prevent several users to access simultaneously a protected site using a single login and password. When this option is enabled the DAF Engine will check that for each user logged the number of concurrent access will never exceed the maximum allowed.

The control is based on the client IP address. For example, if the maximum is set to three, and if four clients attempt to access the site with the same login, the last login will be detected as exceeding the maximum and action will be taken as specified in the settings.

Several options have been implemented to enable Concurrent Access Control despite the fact that this type of feature is NOT natural for HTTP protocol and DialUp clients. It is important to understand these problems in order to choose what will be the best settings for a given need.

Problem 1: No real user session lifetime

With HTTP protocol a session will live for one (HTTP/1.0) or several (HTTP/1.1) consecutive HTTP requests. In all cases, if several requests are sent simultaneously (e.g., an HTML file including GIF files) several sessions are created. A session will usually end after a pseudo random number of HTTP requests. Obviously this natural HTTP session cannot be used to control concurrent access. For this reason DAF will check concurrent access using an artificial "User Session." For this feature, a user session is attached to a client IP address. A session will start when the server receives the first authenticated request sent by the client IP address. The session will end when no requests have been received after a timeout (option "User session timeout").

An important drawback of this implementation is that a session will continue until the timeout is reached, even if the user is disconnected from his ISP.

Problem 2: No permanent IP address for each client

The only information available to identify a client is the remote IP address. Unfortunately, for a DialUp client this address may change each time the user connects to his ISP. Therefore, a single client can be detected as two different clients if he accesses the protected site with his login and password, disconnects and reconnects his modem and re-accesses the protected site with his login and password before the timeout. For this reason, it is not recommended to set the maximum number of concurrent to "1" and the session timeout should not be too long.

Another solution to avoid this problem is to use option "Apply mask to IP address." This option will apply a mask to all remote IP addresses before DAF calculates the number of different IP addresses. For example, with mask "255.255.255.0" the two IP addresses "10.10.10.1" and "10.10.10.2" will be counted as the same client. Therefore, if this option is used with mask "255.255.0.0", all clients accessing the Internet through the same ISP will be counted as only one user. The drawback is that for a large ISP such as AOL it is possible that a shared login/password could be used by two AOL clients.

Suggested Settings:

If the aim is to allow only ONE client using each user login, you can choose a tight or loose control:

Tight control: Set the maximum number of concurrent users to 1 and a user session timeout to 5 minutes. With these settings you will never have two or more concurrent access, but if the client disconnects and reconnects his modem in a delay shorter then 5 minutes it will be detected as over the maximum allowed.
Loose control: Set the maximum number of concurrent users to 5 and a user session timeout to 15 minutes. With these settings a single user will be accepted if he disconnects and reconnects his modem up to 5 times in less then 15 minutes. The drawback is that up to 5 concurrent users can be accepted.

Concurrent Access Control Configuration

The "Concurrent Access Control" setting dialog is available in the DAF Configuration Tool under Tab "Concurrent Access Control."

cactrl.gif (103507 bytes)

Enable Concurrent Access Control:
Check to enable Concurrent Access Control.

User Session TimeOut:
Define the user session timeout length.

For DAF User:
If checked Concurrent Access will be checked for the user of a DAF User database.

For NT User member of NT Domain ...:
If checked Concurrent Access will be checked for the NT User member of the specified NT domain.

Apply mask to client IP address ...:
If this option is checked a mask is applied to remote IP addresses to calculate the number of different remote addresses.

Except for DAF groups:
Concurrent Access will not be checked if the current user belongs to a listed group. Different groups should be separated with a comma.

Enable remote IP simulation:
When this option is enabled, for test purposes, it is possible to simulate different client IP addresses using a single browser.
For more information, refer to section Concurrent Access Control Current Status.

If more then ... concurrent users:
It is possible to define two maximum numbers of concurrent users over which DAF will process an action.

It can be one or several of the following actions:

Sending a notification by e-mail. Information specified in the "E-mail notification" settings will be used.
Redirecting the request toward another URL
Denying access to the user
Disabling the current account. For an ODBC user database, to use this option a SQL Column must be specified for the Enabled/Disabled account state.

Enable Logging:
If this option is enabled, each time that DAF detects too many concurrent access it will be notified in the log file.

Concurrent Access Test

Concurrent Access simulation

When option "Remote IP simulation" is enabled, it is possible to simulate several concurrent access using a single browser. To simulate a remote IP address, simply add to a URL the query string "?IPCA=A.B.C.D".

For example, if URL "http://www.mydomain.com/private" is a protected site with Concurrent Access control enabled, calling the four following URLs:

    - http://www.mydomain.com/private?IPCA=10.0.0.1
    - http://www.mydomain.com/private?IPCA=192.100.0.2
    - http://www.mydomain.com/private?IPCA=100.95.95.1
    - http://www.mydomain.com/private?IPCA=152.21.28.1

will be seen as four different remote IP addresses (10.0.0.1, 192.100.0.2, 100.95.95.1, 152.21.28.1).

Concurrent Access Control Current Status

At Anytime, it is possible to visualize who and how many users are currently logged:

To visualize the status of all DAF databases with Concurrent Access Control enabled, with a browser, load URL "http://www.mydomain.com/cactrlgb.htm" A login and password is required to access this page. The following are valid:

- any NT Administrator login and password
- any NT user login and password which belong to NT Local (NOT Global) group "DAFAdmin." This NT Group must be created manually with the "NT User Manager for Domains."
- the DAFTools Main administrator login and password (by default "admin" with a blank password)

To visualize the status of a DAF database, with a browser, load URL "http://www.mydomain.com/cactrl.htm" where www.mydomain.com is attached to the DAF database for which the status is wanted. A login and password will be required. A login and password is required to access this page. The following are valid:

- any NT Administrator login and password
- any NT user login and password which belongs to NT Local (NOT Global) group "DAFAdmin." This NT Group must be created manually with the "NT User Manager for Domains."
- the DAFTools Main administrator login and password (by default "admin" with a blank password)
- the current DAFTools Database administrator password with any login

wpe5.jpg (50546 bytes)
For this DAF User database, three users are currently connected. "phil" and "m5" with three concurrent access, "m2" with two concurrent access.

Remark:

File "cactrlgb.htm" and "cactrl.htm" are created automatically by the filter. They cannot be found on the server.

Last update: Friday, April 02, 1999 08:18