3

I am currently trying to secure our application so that it is unusable if the license expires. There is a registration key stored in our database that I use to determine the validity of the license.

My original idea was to use Session_Start in the global.asax file to refer to the license details and issue a redirect to an "update your license page" if necessary. Following the redirect I was calling Session.Abandon() in my controller action so that any further requests for pages would repeat the same process.

The problem with this approach is if the user refreshes the page I seem to get a redirect loop occurring. This makes me think that Session_Start is not the best idea but I was trying to avoid placing code in BeginRequest or similar. It is also going to be messy to bypass during valid attempts to update the license.

I currently modified the idea to make an AJAX call when the error page is loaded to trigger Session.Abandon on the server side but this still feels wrong and is open to abuse if someone realises how it works.

The whole application is secured using Windows Authentication so I don't have the option to evaluate the licensing during a login attempt which would have been what I would do with Forms Authentication.

Any suggestions for an alternate approach?

Copers
  • 35
  • 5
  • Why not use `Application_Start()` instead of `Session_Start()`? It doesnt make sense to check the license on each request (unless the licenses are for 5 minute intervals) - once per day or so should be fine. Also, the AJAX call would be easily enough disabled if anyone wanted to bypass the license check. – Tommy Mar 28 '14 at 16:31
  • @Tommy Thanks for the reply. They update the registration key within the same application unfortunately. – Copers Mar 28 '14 at 16:49

1 Answers1

1

Since this is an MVC application you can write a custom attribute that you place on a base controller that all the controllers inherit from.

 public class MyAuthorization : AuthorizeAttribute
 {
     //Call a stored proc or your database layer to check for the 
     //correct license validity
 }

 [MyAuthorization]
 public class BaseController : Controller 
 {
 }

 public class HomeController : BaseController
 {
 }

With this every time a controller is hit it will check for the license key.

This is how we handle our authorization time out. We check our database to see if the user has been inactive for 20 mins and log them out if so.

Robert
  • 4,306
  • 11
  • 45
  • 95