471,321 Members | 2,120 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,321 software developers and data experts.

Strange Session Restart

na
I am using form authentication and InProc cookieless session. The
strange thing is that when an authenticated user try to navigate to any
page that is in subfolder of the application root, the session is
restarted and new session id is generated. Thus the user would never be
able to access those pages because each page's InitializeComponent()
checks if (Session.Keys.Count == 0). If yes, then server transfer the
request to login.aspx page again.
Does anyone know why the session is restarted? Thanks. The following
are snippets of the web.config and login.aspx:

Web.config
========
<system.web>
<compilation defaultLanguage="c#" debug="true" />
<customErrors mode="Off" defaultRedirect="/accessDenied.aspx"/>
<trace enabled="false" requestLimit="10" pageOutput="false"
traceMode="SortByTime" localOnly="true" />
<sessionState mode="InProc" cookieless="true" timeout="20" />

<authentication mode="Forms">
<forms
name="my_Authorization"
loginUrl="Login.aspx"
protection="All"
path="/"
requireSSL="false"
slidingExpiration="false">
<credentials passwordFormat = "SHA1"/>
</forms>
</authentication>

<authorization>
<deny users="?"/>
</authorization>

</system.web>

<!-- page that does not require login -->
<location path="main.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>

<!-- page that does not require login -->
<location path="_Net/forms/StatusChange.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>

Logoin.aspx
=========
private void btnLogin_Click(object sender, System.EventArgs e)
{
if (Page.IsValid)
{
string strAccountName = Server.HtmlEncode(txtAccount.Text);
string strPassword = Server.HtmlEncode(txtPassword.Text);

oUserCredential = new User();
if(oUserCredential.UserCredential(strAccountName, strPassword))
{
Session["Account"] = oUserCredential.Account;
Session["UserID"] = oUserCredential.UserId;
Session["UserOrganization"] = oUserCredential.Organization;
Session["FirstName"] = oUserCredential.FirstName;
Session["LastName"] = oUserCredential.LastName;
Session["UserEmail"] = oUserCredential.Email;
Session["UserRole"] = oUserCredential.Role;
Session["SrmRole"] = oUserCredential.SrmRole;

// Return to the originally requested URL.

System.Web.Security.FormsAuthentication.RedirectFr omLoginPage(strAccount
Name,PersistCookie.Checked);

}
else
Msg.Text = "Invalid Credentials: Please try again. <br/>";
}

*** Sent via Developersdex http://www.developersdex.com ***
Dec 8 '05 #1
3 1736
Is it possible that you write some files in the bin folder? When bin folder
is changed the ASP.NET runtime recicles the worker process.
I have chased similar problem and the problem turn out to be exactly this.
There was third party control that was writing some file in the bin folder.

--

Stoitcho Goutsev (100) [C# MVP]

<na> wrote in message news:O5*************@TK2MSFTNGP15.phx.gbl...
I am using form authentication and InProc cookieless session. The
strange thing is that when an authenticated user try to navigate to any
page that is in subfolder of the application root, the session is
restarted and new session id is generated. Thus the user would never be
able to access those pages because each page's InitializeComponent()
checks if (Session.Keys.Count == 0). If yes, then server transfer the
request to login.aspx page again.
Does anyone know why the session is restarted? Thanks. The following
are snippets of the web.config and login.aspx:

Web.config
========
<system.web>
<compilation defaultLanguage="c#" debug="true" />
<customErrors mode="Off" defaultRedirect="/accessDenied.aspx"/>
<trace enabled="false" requestLimit="10" pageOutput="false"
traceMode="SortByTime" localOnly="true" />
<sessionState mode="InProc" cookieless="true" timeout="20" />

<authentication mode="Forms">
<forms
name="my_Authorization"
loginUrl="Login.aspx"
protection="All"
path="/"
requireSSL="false"
slidingExpiration="false">
<credentials passwordFormat = "SHA1"/>
</forms>
</authentication>

<authorization>
<deny users="?"/>
</authorization>

</system.web>

<!-- page that does not require login -->
<location path="main.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>

<!-- page that does not require login -->
<location path="_Net/forms/StatusChange.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>

Logoin.aspx
=========
private void btnLogin_Click(object sender, System.EventArgs e)
{
if (Page.IsValid)
{
string strAccountName = Server.HtmlEncode(txtAccount.Text);
string strPassword = Server.HtmlEncode(txtPassword.Text);

oUserCredential = new User();
if(oUserCredential.UserCredential(strAccountName, strPassword))
{
Session["Account"] = oUserCredential.Account;
Session["UserID"] = oUserCredential.UserId;
Session["UserOrganization"] = oUserCredential.Organization;
Session["FirstName"] = oUserCredential.FirstName;
Session["LastName"] = oUserCredential.LastName;
Session["UserEmail"] = oUserCredential.Email;
Session["UserRole"] = oUserCredential.Role;
Session["SrmRole"] = oUserCredential.SrmRole;

// Return to the originally requested URL.

System.Web.Security.FormsAuthentication.RedirectFr omLoginPage(strAccount
Name,PersistCookie.Checked);

}
else
Msg.Text = "Invalid Credentials: Please try again. <br/>";
}

*** Sent via Developersdex http://www.developersdex.com ***

Dec 8 '05 #2
na
Thanks for responding. There are no process that would write to the bin
directory. I investigated that if I don't use the form authentication,
and just use my own navigation, the session variables are kept. Also,
if I flattens the application's directory structure where everything
resides in the same directory, even with form authentication, the
session variables will be persisted. I begin to wonder there is some
sort of buggy logic in .Net Framework Session and Form Authenticaion.
*** Sent via Developersdex http://www.developersdex.com ***
Dec 8 '05 #3
You'd probably get better help in the ASP.NET groups

--

Stoitcho Goutsev (100) [C# MVP]

<na> wrote in message news:um**************@TK2MSFTNGP10.phx.gbl...
Thanks for responding. There are no process that would write to the bin
directory. I investigated that if I don't use the form authentication,
and just use my own navigation, the session variables are kept. Also,
if I flattens the application's directory structure where everything
resides in the same directory, even with form authentication, the
session variables will be persisted. I begin to wonder there is some
sort of buggy logic in .Net Framework Session and Form Authenticaion.
*** Sent via Developersdex http://www.developersdex.com ***

Dec 9 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

5 posts views Thread by ASP.Confused | last post: by
12 posts views Thread by ACaunter | last post: by
13 posts views Thread by Alexander Widera | last post: by
reply views Thread by js | last post: by
3 posts views Thread by HLady | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.