Hi all,
I've just put some code together (cobbled is a phrase I like to use) - to
handle a secure login to a web based application.
It's not exactly rocket science, a session is created, its ID and user ID
are written to the database, each page that requires authentication checks
to see if there is a current identity (ie a session already) and if so then
tries to match that to the one in the database - if everythings ok - great -
more on - if not - redirect to the login page.
Now - here's the thing...
I was expecting the Session.Session ID to be unique, not only when a new
window is opened, but if the current session is killed off (using
Session.Clear / Session.Abandon ) - however - it doesn't appear to be -
therefore its not entirely impossible to get logged back in when the details
match etc..
For example - I log in...my Session.Session ID in browser 1 is :
k2xmyl3fwinxrh4 5hyp30qbk
I open a second browser and login and my Session.Session ID in browser 2 is:
hqbzk4555ivl2ez 0nlophy55
Both of these have been written to my database with my user ID (1), now,
when I then hit the database and change the UserID to 2 (ie, causing a no
match) I'm prompt to log in (because the UserID / Session.Session ID didn't
match) - but when I log in again I am given the same Session.Session ID as I
had originally?!
Can anyone advise as to whether it's possible to generate a new
Session.Session ID - as I said I was expecting this to have happened
automatically having used "Abandon" etc when logging out, or when there is
no match (I have a little Session killing off function etc)..
Any help would be most appreciated,
Regards
Rob
6  2073 
What a waste of time. ASP.NET 2.0 manages logins using Membership, Roles,
and Profiles. Spend more time with the documentation Rob.
<%= Clinton Gallagher
NET csgallagher AT metromilwaukee. com
URL http://www.metromilwaukee.com/clintongallagher/
"Rob Meade" <te************ *********@edaem .bbor> wrote in message
news:dP******** **********@text .news.blueyonde r.co.uk... Hi all,
I've just put some code together (cobbled is a phrase I like to use) - to
handle a secure login to a web based application.
It's not exactly rocket science, a session is created, its ID and user ID
are written to the database, each page that requires authentication checks
to see if there is a current identity (ie a session already) and if so
then tries to match that to the one in the database - if everythings ok -
great - more on - if not - redirect to the login page.
Now - here's the thing...
I was expecting the Session.Session ID to be unique, not only when a new
window is opened, but if the current session is killed off (using
Session.Clear / Session.Abandon ) - however - it doesn't appear to be -
therefore its not entirely impossible to get logged back in when the
details match etc..
For example - I log in...my Session.Session ID in browser 1 is :
k2xmyl3fwinxrh4 5hyp30qbk
I open a second browser and login and my Session.Session ID in browser 2
is: hqbzk4555ivl2ez 0nlophy55
Both of these have been written to my database with my user ID (1), now,
when I then hit the database and change the UserID to 2 (ie, causing a no
match) I'm prompt to log in (because the UserID / Session.Session ID didn't
match) - but when I log in again I am given the same Session.Session ID as
I had originally?!
Can anyone advise as to whether it's possible to generate a new
Session.Session ID - as I said I was expecting this to have happened
automatically having used "Abandon" etc when logging out, or when there is
no match (I have a little Session killing off function etc)..
Any help would be most appreciated,
Regards
Rob
Hi Clinton
Each to their own. There might be a solution built in but not to
everyone's taste. Have you tried using the built-in profiles system to
perform queries on thousands of users without retrieving every user?
Its not fun. ;)
clintonG wrote: What a waste of time. ASP.NET 2.0 manages logins using Membership, Roles,
and Profiles. Spend more time with the documentation Rob.
<%= Clinton Gallagher
NET csgallagher AT metromilwaukee. com
URL http://www.metromilwaukee.com/clintongallagher/
"Rob Meade" <te************ *********@edaem .bbor> wrote in message
news:dP******** **********@text .news.blueyonde r.co.uk... Hi all,
I've just put some code together (cobbled is a phrase I like to use) - to
handle a secure login to a web based application.
It's not exactly rocket science, a session is created, its ID and user ID
are written to the database, each page that requires authentication checks
to see if there is a current identity (ie a session already) and if so
then tries to match that to the one in the database - if everythings ok -
great - more on - if not - redirect to the login page.
Now - here's the thing...
I was expecting the Session.Session ID to be unique, not only when a new
window is opened, but if the current session is killed off (using
Session.Clear / Session.Abandon ) - however - it doesn't appear to be -
therefore its not entirely impossible to get logged back in when the
details match etc..
For example - I log in...my Session.Session ID in browser 1 is :
k2xmyl3fwinxrh4 5hyp30qbk
I open a second browser and login and my Session.Session ID in browser 2
is: hqbzk4555ivl2ez 0nlophy55
Both of these have been written to my database with my user ID (1), now,
when I then hit the database and change the UserID to 2 (ie, causing a no
match) I'm prompt to log in (because the UserID / Session.Session ID didn't
match) - but when I log in again I am given the same Session.Session ID as
I had originally?!
Can anyone advise as to whether it's possible to generate a new
Session.Session ID - as I said I was expecting this to have happened
automatically having used "Abandon" etc when logging out, or when there is
no match (I have a little Session killing off function etc)..
Any help would be most appreciated,
Regards
Rob
> Each to their own. There might be a solution built in but not to everyone's taste. Have you tried using the built-in profiles system
to perform queries on thousands of users without retrieving every
user? Its not fun. ;)
I think your complaint here is the storage format the default profile provider
uses. You should consider using a different provider (or write your own)
to store the data the way you'd prefer it. Google for "Table Profile Provider"
for a sample.
-Brock http://staff.develop.com/ballen
I realise, ;) I was merely pointing out that a solution to one person
doesn't mean its a solution to everyone. Calling someone's work a waste
of time because he/she wanted to manage the login details themselves
isn't the way to handle that sort of question.
Brock Allen wrote: Each to their own. There might be a solution built in but not to
everyone's taste. Have you tried using the built-in profiles system
to perform queries on thousands of users without retrieving every
user? Its not fun. ;)
I think your complaint here is the storage format the default profile
provider uses. You should consider using a different provider (or write
your own) to store the data the way you'd prefer it. Google for "Table
Profile Provider" for a sample.
-Brock
http://staff.develop.com/ballen
"Ray Booysen" wrote ... Calling someone's work a waste of time because he/she wanted to manage the
login details themselves isn't the way to handle that sort of question.
Thank you.
For what's it worth - I've not read "the" documentation for .net 2.0,
neither did I for 1.1 or 1.0 - instead I just refer to parts of it when I
get stuck, but more often than not find myself asking a question in a group
like this first because typically there's a really wide audience level for
these groups, and you'll often get more than one suggestion on how to
resolve the problem - I find that useful to see other ideas so that I can
either use one of them, or bits from each or whatever - it helps me learn.
Being new to .net 2.0 I would even have known about a login/profile
thingy-ma-jig in it anyway - so unless I stumbled over some review of it I'm
unlikely to have found it.
Since posting, I've found that it seems better to use a generated GUID than
the Session.Session ID - something that would have been helpful to have known
previously, but I found an article online that mentions that the
Session.Session ID wasn't unique - that was basically the answer to my
question.
On using pre-built functionality - if I always use other people work, code,
examples etc I'll never really learn how to do those bits of the code
myself, whilst I appreciate it can save time, this could be wasted in the
future if it all goes, tits up and I spend 3 weeks trying to figure out
whats happening. I dont suppose anyone has ever written anything that's one
hundred percent perfect, with no vulnerabilities etc.
Thanks to all for the replies, nice to see a conversation spin out of my
thread if little else :o)
Regards
Rob
Rob et. al., another point to be cognizant of is how many of us seem to be
carrying across our thought processes when "scripting" was the way we
developed web applications. Now that is not to say the use of the framework
classes may not do things the same way from time to time but the
implementations are abstracted away from us leaving the developer to be more
productive. Less time is wasted on rudimentary building blocks. Time after
all is of the essence is it not?
It seems to me there are two types of web development behavior models. There
is the "think-do-think" and there is the "do-think-do." Rob "confesses" a
preference for the do-think-do. Don't we all from time to time? Which is
best is always a contextual issue though ainna?
As for me, I vacilate from one to the other like anybody else but after all
is said and done I am left with one simple question. "Do I want to waste my
time doing things my way, the way I think they should be or could be done or
do I want to learn from others who have come before me to adopt what have
come to be called "best practices?"
And yes, Ray, I have tried using the built-in profiles system to perform
queries which is why I thank Brock -- again -- for bringing the search term
"Table Profile Provider" to your attention the same way he did for me just
last week Ray. The same way I brought the search terms "Membership , Roles,
and Profiles" to the attention of Rob so he doesn't have to waste his time
anymore.
--
<%= Clinton Gallagher
NET csgallagher AT metromilwaukee. com
URL http://www.metromilwaukee.com/clintongallagher/
"Rob Meade" <ku************ ***@edaem.bor> wrote in message
news:eG******** ******@TK2MSFTN GP05.phx.gbl... "Ray Booysen" wrote ...
Calling someone's work a waste of time because he/she wanted to manage
the login details themselves isn't the way to handle that sort of
question.
Thank you.
For what's it worth - I've not read "the" documentation for .net 2.0,
neither did I for 1.1 or 1.0 - instead I just refer to parts of it when I
get stuck, but more often than not find myself asking a question in a
group like this first because typically there's a really wide audience
level for these groups, and you'll often get more than one suggestion on
how to resolve the problem - I find that useful to see other ideas so that
I can either use one of them, or bits from each or whatever - it helps me
learn.
Being new to .net 2.0 I would even have known about a login/profile
thingy-ma-jig in it anyway - so unless I stumbled over some review of it
I'm unlikely to have found it.
Since posting, I've found that it seems better to use a generated GUID
than the Session.Session ID - something that would have been helpful to
have known previously, but I found an article online that mentions that
the Session.Session ID wasn't unique - that was basically the answer to my
question.
On using pre-built functionality - if I always use other people work,
code, examples etc I'll never really learn how to do those bits of the
code myself, whilst I appreciate it can save time, this could be wasted in
the future if it all goes, tits up and I spend 3 weeks trying to figure
out whats happening. I dont suppose anyone has ever written anything
that's one hundred percent perfect, with no vulnerabilities etc.
Thanks to all for the replies, nice to see a conversation spin out of my
thread if little else :o)
Regards
Rob
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Christoph Pieper |
last post by:
Hi,
we've the following problem :
We have an asp-application which sets the cookie on first login. The cookie
will never be touched during user access. The user can work the whole day,
but after 6 to 7 hours, the cookie get 2-4 new asp-sessionid's thus
overwriting the very first entries in the cookie. Does anyone had the same
problem or has a solution. The server is a w2003 enterprise the client has
windows xp sp2.
|
by: Berrucho |
last post by:
Please Help!
I recently posted this same issue but got no answer... please help
Using VB.NET, IIS5, W2K Adv SP3 all patches, .net 1.0, VS.NET 2002
Using forms authentication, persistent cookie = false
Recently my asp.net app is returning wrong data to users. Users frequently
get data that should only be seen by other user.
|
by: Ronald |
last post by:
howto
thanx
Ronald
|
by: Brad Simon |
last post by:
I have written a shopping cart using ASP .NET (VB). It has been running
quite successfully on a site for about a year or so. I use the SessionID as
the key to hold information on the shopping cart.
I have copy / pasted the code into a new site. Everything is working,
EXCEPT for the shopping cart holding the SessionID. I have watched the
variable, and each time I hit the 'Update' button in a datalist, the session
ID changes. That is...
|
by: Mike Kline |
last post by:
Hi There!
I'm creating a HttpModule and after AcquireRequestState event, I tried to
access the HttpApplication.Session.SessionID and somehow I'm getting a new
value on every Refersh of ASPX page.
I thought SessionID is supposed to stay static until the session timeout
defined in the web.config. Or am I missing something here???
Thanks!!
| | |
by: Andy Fish |
last post by:
Hi,
I have an asp.net application that is using Forms Authentication and
maintaining http session state using cookies in the normal way.
when the user clicks the logout button I do this:
Session.Clear();
Session.Abandon();
FormsAuthentication.SignOut();
|
by: Kenny |
last post by:
Hi,
I have created an ASPX
Dim ss As HttpSessionState
ss = HttpContext.Current.Session
HttpContext.Current.Session("tesAt") = "testValue"
Response.Write(ss.SessionID() & "|<br>")
Response.Write(HttpContext.Current.Session("tesAt") & "|<br>")
Response.Write(HttpContext.Current.Session(ss.SessionID) & "|<br>")
|
by: ocean |
last post by:
I want to get the session associated with the specific sissionID.
I made a activex control required to login to the server.My idead as follow:
1.Get sessionID through IHTMLDocument2 interface(a COM interface);
2.Send this value to the server;
3.Read the session associated with this sessionID and check if this
session logined.
Now i can get the sessionID.but don't know how to get the session by
sessionID;
|
by: XML newbie: Urgent pls help! |
last post by:
If I get SessionID in 1 function how do I carry that SessionID(value of this
SessionID) to another function or another form within the same project
|
by: rlueneberg |
last post by:
I am trying to foward the old sessionID using "Session.SessionID" to
an HttpWebRequest CookieContainer so that I can capture the requested
page session variables but it is not working as it is supposed to. The
HttpResponse object always returns a different sessionID from the old
one which I am trying to force. Why is objRequest not carrying over the
old SessionID?
private String ReadHtmlPage(string url)
{
String result = string.Empty;
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
| | |
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
