473,289 Members | 1,875 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,289 software developers and data experts.

ASP.Net [2.0] - SessionID

Hi all,

I've just put some code together (cobbled is a phrase I like to use) - to
handle a secure login to a web based application.

It's not exactly rocket science, a session is created, its ID and user ID
are written to the database, each page that requires authentication checks
to see if there is a current identity (ie a session already) and if so then
tries to match that to the one in the database - if everythings ok - great -
more on - if not - redirect to the login page.

Now - here's the thing...

I was expecting the Session.SessionID to be unique, not only when a new
window is opened, but if the current session is killed off (using
Session.Clear / Session.Abandon) - however - it doesn't appear to be -
therefore its not entirely impossible to get logged back in when the details
match etc..

For example - I log in...my Session.SessionID in browser 1 is :
k2xmyl3fwinxrh45hyp30qbk

I open a second browser and login and my Session.SessionID in browser 2 is:
hqbzk4555ivl2ez0nlophy55

Both of these have been written to my database with my user ID (1), now,
when I then hit the database and change the UserID to 2 (ie, causing a no
match) I'm prompt to log in (because the UserID / Session.SessionID didn't
match) - but when I log in again I am given the same Session.SessionID as I
had originally?!

Can anyone advise as to whether it's possible to generate a new
Session.SessionID - as I said I was expecting this to have happened
automatically having used "Abandon" etc when logging out, or when there is
no match (I have a little Session killing off function etc)..

Any help would be most appreciated,

Regards

Rob
May 13 '06 #1
6 2056
What a waste of time. ASP.NET 2.0 manages logins using Membership, Roles,
and Profiles. Spend more time with the documentation Rob.

<%= Clinton Gallagher
NET csgallagher AT metromilwaukee.com
URL http://www.metromilwaukee.com/clintongallagher/
"Rob Meade" <te*********************@edaem.bbor> wrote in message
news:dP******************@text.news.blueyonder.co. uk...
Hi all,

I've just put some code together (cobbled is a phrase I like to use) - to
handle a secure login to a web based application.

It's not exactly rocket science, a session is created, its ID and user ID
are written to the database, each page that requires authentication checks
to see if there is a current identity (ie a session already) and if so
then tries to match that to the one in the database - if everythings ok -
great - more on - if not - redirect to the login page.

Now - here's the thing...

I was expecting the Session.SessionID to be unique, not only when a new
window is opened, but if the current session is killed off (using
Session.Clear / Session.Abandon) - however - it doesn't appear to be -
therefore its not entirely impossible to get logged back in when the
details match etc..

For example - I log in...my Session.SessionID in browser 1 is :
k2xmyl3fwinxrh45hyp30qbk

I open a second browser and login and my Session.SessionID in browser 2
is: hqbzk4555ivl2ez0nlophy55

Both of these have been written to my database with my user ID (1), now,
when I then hit the database and change the UserID to 2 (ie, causing a no
match) I'm prompt to log in (because the UserID / Session.SessionID didn't
match) - but when I log in again I am given the same Session.SessionID as
I had originally?!

Can anyone advise as to whether it's possible to generate a new
Session.SessionID - as I said I was expecting this to have happened
automatically having used "Abandon" etc when logging out, or when there is
no match (I have a little Session killing off function etc)..

Any help would be most appreciated,

Regards

Rob

May 15 '06 #2
Hi Clinton

Each to their own. There might be a solution built in but not to
everyone's taste. Have you tried using the built-in profiles system to
perform queries on thousands of users without retrieving every user?
Its not fun. ;)

clintonG wrote:
What a waste of time. ASP.NET 2.0 manages logins using Membership, Roles,
and Profiles. Spend more time with the documentation Rob.

<%= Clinton Gallagher
NET csgallagher AT metromilwaukee.com
URL http://www.metromilwaukee.com/clintongallagher/
"Rob Meade" <te*********************@edaem.bbor> wrote in message
news:dP******************@text.news.blueyonder.co. uk...
Hi all,

I've just put some code together (cobbled is a phrase I like to use) - to
handle a secure login to a web based application.

It's not exactly rocket science, a session is created, its ID and user ID
are written to the database, each page that requires authentication checks
to see if there is a current identity (ie a session already) and if so
then tries to match that to the one in the database - if everythings ok -
great - more on - if not - redirect to the login page.

Now - here's the thing...

I was expecting the Session.SessionID to be unique, not only when a new
window is opened, but if the current session is killed off (using
Session.Clear / Session.Abandon) - however - it doesn't appear to be -
therefore its not entirely impossible to get logged back in when the
details match etc..

For example - I log in...my Session.SessionID in browser 1 is :
k2xmyl3fwinxrh45hyp30qbk

I open a second browser and login and my Session.SessionID in browser 2
is: hqbzk4555ivl2ez0nlophy55

Both of these have been written to my database with my user ID (1), now,
when I then hit the database and change the UserID to 2 (ie, causing a no
match) I'm prompt to log in (because the UserID / Session.SessionID didn't
match) - but when I log in again I am given the same Session.SessionID as
I had originally?!

Can anyone advise as to whether it's possible to generate a new
Session.SessionID - as I said I was expecting this to have happened
automatically having used "Abandon" etc when logging out, or when there is
no match (I have a little Session killing off function etc)..

Any help would be most appreciated,

Regards

Rob


May 15 '06 #3
> Each to their own. There might be a solution built in but not to
everyone's taste. Have you tried using the built-in profiles system
to perform queries on thousands of users without retrieving every
user? Its not fun. ;)


I think your complaint here is the storage format the default profile provider
uses. You should consider using a different provider (or write your own)
to store the data the way you'd prefer it. Google for "Table Profile Provider"
for a sample.

-Brock
http://staff.develop.com/ballen
May 15 '06 #4
I realise, ;) I was merely pointing out that a solution to one person
doesn't mean its a solution to everyone. Calling someone's work a waste
of time because he/she wanted to manage the login details themselves
isn't the way to handle that sort of question.

Brock Allen wrote:
Each to their own. There might be a solution built in but not to
everyone's taste. Have you tried using the built-in profiles system
to perform queries on thousands of users without retrieving every
user? Its not fun. ;)


I think your complaint here is the storage format the default profile
provider uses. You should consider using a different provider (or write
your own) to store the data the way you'd prefer it. Google for "Table
Profile Provider" for a sample.

-Brock
http://staff.develop.com/ballen

May 15 '06 #5
"Ray Booysen" wrote ...
Calling someone's work a waste of time because he/she wanted to manage the
login details themselves isn't the way to handle that sort of question.


Thank you.

For what's it worth - I've not read "the" documentation for .net 2.0,
neither did I for 1.1 or 1.0 - instead I just refer to parts of it when I
get stuck, but more often than not find myself asking a question in a group
like this first because typically there's a really wide audience level for
these groups, and you'll often get more than one suggestion on how to
resolve the problem - I find that useful to see other ideas so that I can
either use one of them, or bits from each or whatever - it helps me learn.

Being new to .net 2.0 I would even have known about a login/profile
thingy-ma-jig in it anyway - so unless I stumbled over some review of it I'm
unlikely to have found it.

Since posting, I've found that it seems better to use a generated GUID than
the Session.SessionID - something that would have been helpful to have known
previously, but I found an article online that mentions that the
Session.SessionID wasn't unique - that was basically the answer to my
question.

On using pre-built functionality - if I always use other people work, code,
examples etc I'll never really learn how to do those bits of the code
myself, whilst I appreciate it can save time, this could be wasted in the
future if it all goes, tits up and I spend 3 weeks trying to figure out
whats happening. I dont suppose anyone has ever written anything that's one
hundred percent perfect, with no vulnerabilities etc.

Thanks to all for the replies, nice to see a conversation spin out of my
thread if little else :o)

Regards

Rob
May 15 '06 #6
Rob et. al., another point to be cognizant of is how many of us seem to be
carrying across our thought processes when "scripting" was the way we
developed web applications. Now that is not to say the use of the framework
classes may not do things the same way from time to time but the
implementations are abstracted away from us leaving the developer to be more
productive. Less time is wasted on rudimentary building blocks. Time after
all is of the essence is it not?

It seems to me there are two types of web development behavior models. There
is the "think-do-think" and there is the "do-think-do." Rob "confesses" a
preference for the do-think-do. Don't we all from time to time? Which is
best is always a contextual issue though ainna?

As for me, I vacilate from one to the other like anybody else but after all
is said and done I am left with one simple question. "Do I want to waste my
time doing things my way, the way I think they should be or could be done or
do I want to learn from others who have come before me to adopt what have
come to be called "best practices?"

And yes, Ray, I have tried using the built-in profiles system to perform
queries which is why I thank Brock -- again -- for bringing the search term
"Table Profile Provider" to your attention the same way he did for me just
last week Ray. The same way I brought the search terms "Membership, Roles,
and Profiles" to the attention of Rob so he doesn't have to waste his time
anymore.

--
<%= Clinton Gallagher
NET csgallagher AT metromilwaukee.com
URL http://www.metromilwaukee.com/clintongallagher/


"Rob Meade" <ku***************@edaem.bor> wrote in message
news:eG**************@TK2MSFTNGP05.phx.gbl...
"Ray Booysen" wrote ...
Calling someone's work a waste of time because he/she wanted to manage
the login details themselves isn't the way to handle that sort of
question.


Thank you.

For what's it worth - I've not read "the" documentation for .net 2.0,
neither did I for 1.1 or 1.0 - instead I just refer to parts of it when I
get stuck, but more often than not find myself asking a question in a
group like this first because typically there's a really wide audience
level for these groups, and you'll often get more than one suggestion on
how to resolve the problem - I find that useful to see other ideas so that
I can either use one of them, or bits from each or whatever - it helps me
learn.

Being new to .net 2.0 I would even have known about a login/profile
thingy-ma-jig in it anyway - so unless I stumbled over some review of it
I'm unlikely to have found it.

Since posting, I've found that it seems better to use a generated GUID
than the Session.SessionID - something that would have been helpful to
have known previously, but I found an article online that mentions that
the Session.SessionID wasn't unique - that was basically the answer to my
question.

On using pre-built functionality - if I always use other people work,
code, examples etc I'll never really learn how to do those bits of the
code myself, whilst I appreciate it can save time, this could be wasted in
the future if it all goes, tits up and I spend 3 weeks trying to figure
out whats happening. I dont suppose anyone has ever written anything
that's one hundred percent perfect, with no vulnerabilities etc.

Thanks to all for the replies, nice to see a conversation spin out of my
thread if little else :o)

Regards

Rob

May 17 '06 #7

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

7
by: Christoph Pieper | last post by:
Hi, we've the following problem : We have an asp-application which sets the cookie on first login. The cookie will never be touched during user access. The user can work the whole day, but...
2
by: Berrucho | last post by:
Please Help! I recently posted this same issue but got no answer... please help Using VB.NET, IIS5, W2K Adv SP3 all patches, .net 1.0, VS.NET 2002 Using forms authentication, persistent cookie...
8
by: Brad Simon | last post by:
I have written a shopping cart using ASP .NET (VB). It has been running quite successfully on a site for about a year or so. I use the SessionID as the key to hold information on the shopping...
6
by: Mike Kline | last post by:
Hi There! I'm creating a HttpModule and after AcquireRequestState event, I tried to access the HttpApplication.Session.SessionID and somehow I'm getting a new value on every Refersh of ASPX...
4
by: Andy Fish | last post by:
Hi, I have an asp.net application that is using Forms Authentication and maintaining http session state using cookies in the normal way. when the user clicks the logout button I do this: ...
4
by: Kenny | last post by:
Hi, I have created an ASPX Dim ss As HttpSessionState ss = HttpContext.Current.Session HttpContext.Current.Session("tesAt") = "testValue" Response.Write(ss.SessionID() & "|<br>")...
2
by: ocean | last post by:
I want to get the session associated with the specific sissionID. I made a activex control required to login to the server.My idead as follow: 1.Get sessionID through IHTMLDocument2 interface(a COM...
2
by: XML newbie: Urgent pls help! | last post by:
If I get SessionID in 1 function how do I carry that SessionID(value of this SessionID) to another function or another form within the same project
10
by: rlueneberg | last post by:
I am trying to foward the old sessionID using "Session.SessionID" to an HttpWebRequest CookieContainer so that I can capture the requested page session variables but it is not working as it is...
2
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 7 Feb 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:30 (7.30PM). In this month's session, the creator of the excellent VBE...
0
by: MeoLessi9 | last post by:
I have VirtualBox installed on Windows 11 and now I would like to install Kali on a virtual machine. However, on the official website, I see two options: "Installer images" and "Virtual machines"....
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: Aftab Ahmad | last post by:
Hello Experts! I have written a code in MS Access for a cmd called "WhatsApp Message" to open WhatsApp using that very code but the problem is that it gives a popup message everytime I clicked on...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: marcoviolo | last post by:
Dear all, I would like to implement on my worksheet an vlookup dynamic , that consider a change of pivot excel via win32com, from an external excel (without open it) and save the new file into a...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.