Controlling the number of active users of an ASP.NET application

Last week out team had to implement a requirement that limits the number of concurrent active users of an ASP.NET application. In order to deal with concurrent users, there should be a continuous interaction between the user and the application, which does not match very well the essence of web applications: request-response. Since our app is meant to be an intranet application (used mostly like a desktop app), such a licensing scheme makes some sense. And the concept of an ASP.NET session denotes a continuous communication, so it provided a good way of determining who is an active user and who is not.

I was surprised that I could not find a way to directly control the active ASP.NET sessions - e.g. kill a session (by its SessionID), get the session data, etc. As a workaround, we used a two-step process: keep the IDs of the active sessions in a "session manager" and when some event occurs (e.g. the max number of concurrent users is reached) mark a session "to be killed". That's how the next request from a "to be killed" session, forces the session to be abandoned.

This schema worked nicely, until we noticed that closing the browser and reopening it again caused a new session to be registered in our "session manager". The previous one remained alive since the ASP.NET application did not know that the user had closed his browser (ASP.NET session ID cookie is stored only in browser memory, so it gets lost). So we came up with another workaround and used a persistent cookie to identify that the user has finished a session and started a new one.

The thing that I don't quite like, is that we started with a simple problem and developed a pretty complex solution. I wonder if there was a more elegant way to deal with the concurrent users issue.