I'm having an issue that hopefully someone here can help me out with. First a quick explanation:
I'm managing users of my site in a fairly custom way. (in other words I'm not using asp.net's built-in methods). I have my own database table for user info, and people can register on the site, and then log in. If they haven't logged in, they are considered a guest and I store their name as "guest" in a sessions table along with some other info (like their IP, referrer, browser info, etc.).
However, if they've logged in before and choose to "auto login" from then on - each time they visit the site, I want to log them in with info I leave in a cookie. Yes, I know this won't work if they have cookies disabled...I'm taking the risk.
So, here is my code for my Session_Start method in my Global.asax code file:
protected void Session_Start(Object sender, EventArgs e)
{
string SessionGUID = string.Empty;
if (Request.Cookies["CoolWebsite"] != null)
{
if (Request.Cookies["CoolWebsite"]["AutoLogin"] == "true")
{
// we'll make their cookie good for two weeks
Response.Cookies["CoolWebsite"].Expires = DateTime.Now.AddDays(14);
// now simulate logging them in by adding a session token
// for them to the database and also set it in their SessionGUID Session var
SessionGUID = Guid.NewGuid().ToString("B");
SecurityManager.AddSessionTokenToDatabase(Request. Cookies["CoolWebsite"]["SystemUserName"].ToString(), SessionGUID);
Session.Add("SessionGUID", SessionGUID);
}
else
{
SessionGUID = Guid.NewGuid().ToString("B");
SecurityManager.AddSessionTokenToDatabase(@"guest" , SessionGUID);
Session.Add("SessionGUID", SessionGUID);
}
}
else
{
SessionGUID = Guid.NewGuid().ToString("B");
SecurityManager.AddSessionTokenToDatabase(@"guest" , SessionGUID);
Session["SessionGUID"] = SessionGUID;
}
}
And now, here is the code that executes once they've typed in their user name and password to log in (it's within a user control)
if (Page.IsPostBack == true) //they typed un/pw and clicked "OK"
{
if((SecurityManager.ValidateLogin(txtUserName.Text , txtPassword.Value) == true)
&& (SecurityManager.HasAdminPrivileges(txtUserName.Te xt) == true))
{
//update the cookie and change their "guest" session to
//their user name, then redirect to the Control Panel
Response.Cookies["CoolWebsite"].Expires = DateTime.Now.AddDays(14);
Response.Cookies["CoolWebsite"]["SystemUserName"] = txtUserName.Text;
Response.Cookies["CoolWebsite"]["AutoLogin"] = "true";
SecurityManager.UpdateUserSessionNameInDatabase(tx tUserName.Text, Session["SessionGUID"].ToString());
Response.Redirect("ControlPanel.aspx");
}
else
{
LoginFailedDiv.Attributes.Add("style", @"display:block;");
}
}
else
{
//not a postback, first time admin login page is being loaded.
//check for session token and see if user is an admin
if (Session["SessionGUID"] != null)
{
string UserName = SecurityManager.GetUserNameFromSessionToken(Sessio n["SessionGUID"].ToString());
if (SecurityManager.HasAdminPrivileges(UserName) == true)
{
Response.Redirect("ControlPanel.aspx");
}
}
}
Basically, if they try to hit the login page when they've already said they want to be logged in automatically, I just want to forward them to the ControlPanel.aspx page. Also - if they hit any page "behind" the Control Panel that requires them to have certain privileges, I don't want it taking them back to the login page when their session expires. I just want the cookie to get checked in Session_Start and allow them to keep doing what they were doing. But that's not happening. Every time the session expires or if it's a new session and they try to access a page behind the Control Panel it's taking them back to the login page before they can get back to the ControlPanel.aspx page.
Does anyone see something obvious that I'm missing here? I don't have the foggiest idea why the cookie information is not getting picked out during the Session_Start. The line of code where I'm testing to see if the "CoolWebsite" cookie is null or not keeps ending up going down to the "else" block because the cookie is null.
Thanks,
-Jason
