.net - Technique Of ASP.NET Session Access Multi-user Is Safe?
Mar 9, 2010
I am looking at a design pattern which has come up in quite a few of my firm's projects.It has historically functioned correctly, however I have heard some other developers argue that there is a possibility of session corruption using this pattern. I'm looking for insight from other .NET developers here on Stack Overflow. Basically, there's a class -- usually either static or a Singleton pattern, depending largely on the developer who wrote it -- stored in App_Code.This class encapsulates access to the current session via properties.All of these properties take the form of:
[code]...
However,because this is just a static entry to HttpContext.Current.Session,it seems like it should be safe, as it is not fundamentally any different than the Page class encapsulating this in the Session property.As I said,no other site on which my company has worked that used this pattern saw it ever have any issues -- and that includes some pretty large and highly active userbases.But I want to just get a fresh perspective.
Are there potential multi-user issues, race conditions, or other failings/flaws which specifically could cause session corruption in the above pattern?
Our current application is working fine but when you try to misbehave like we found out that When login with same user in multiple tab with different organization(there is a organization dropdown in the master page which sets the cookie whenever it is changed.) in tab one it is org 1 and tab 2 it is org2 , cookie has the later org 2 in it but when we go back in tab1(which had org1) and save the record org 2 will be saved with the record So can some one share some sort of a checklist with us which address these types of problem.
I am developing a web application. This application is fully customised based on the user settings. Suppose, application hosted on [URL] and user can signup on the website and it will get the domain like [URL] and for user2 will be [URL] so and so forth. so in this case how would I maintain the session for each user? each user will be representing a single website along with public interface and admin pages.
what I am thinking is to store all the setting (for each user) in the database and then when ever server received request then get the user info from the URL (first time only and after get it from the session) and get user details but I am not very much satisfied with this approach.
We have a simple ASP.NET app that uses the ASP.NET SqlMembershipProvider and all is great.
We want to create a second app on the same server, also use the SqlMembershipProvider, but a different "applicationName" so that the user accounts between the two apps are kept separate.
It looks like this would be possible by making the two different app domains (ie they each have their own web.config), but I'm hoping to just put them in different directories so I don't have 3 web.configs (one for each app, and the main one) that all have to be kept synchronized. So what I'm after is:
/web.config /APP1 (uses membership provider in /web.config, with userlist A) /APP2 (uses membership provider in /web.config, with userlist B)
It looks simple to define multiple membership providers that use a different 'applicationName' value.
But how do you tell the system.web.authentication node which membership provider to use?
i have my own DLL (for the data access layer),,i use escaping characters technique to avoid the user input errors ,, but recently i decided to enhance my classes and using parametrized query to prevent all possible errors,Is the modification will be easy or difficult ??how to convert this way to use the parametrized query ..
Because of some situation , I had to save users password in session state for short period of time .it unsafe holding some important data in session state?
I want to access the user session from a web method. But when I check for the session object, its nothing! How can I access the current user's session from the webmethod?
I want to use Profile Properties to keep some user information and move them between pages. I'm wondering if those profile properties are keeping data session based or when I assigned them is it same for all sessions/ Is this a safe method to use them:
I'm writing a simple Intranet application using windows authentication. I want to restrict access to Safe/UCantSeeMe.aspx. I am aware of the AuthorizeAttribute, but this only works on methods. I also found a good post on doing this with the MVC pattern, but I'm not using MVC. This can be done with roles in forms based security. I read on MSDN that using windows based security means roles are based on groups, but it doesn't go into any detail. how can I restrict access to Safe/UCantSeeMe.aspx?
I've recently been tasked with fixing a rather nasty bug resulting from the misuse of session state. We have an asp.net web application that runs on a single sever using inproc session state. The basic design is that a typed dataset is loaded from the database and stored in session state using a common session variable name like Session["dataset"] = dataset. After the data is stored in the session the user edits the data, dataset is retrieved from the session updated and sent to the database for updating. This type of data editingstoring is used across multiple webforms that basically do the same thing. All is good until a user tries to launch a second instance of the application and data stored within the session variable can get mixed up. Here are the possible fixes that I've been able to find
Set sessionState cookieless="false" (every new instance gets a unique session id) PROS - easiest solution, almost no code changes needed CONS - guid in url, user can edit guid, guid can be copied Use a custom session key for every instance (pass a session key around and combine it the "dataset" + session key name so that each instance has a unique session variable) PROS - no guid in url CONS - most amount of code changes, possibly fragile Remove the session variable (Load the dataset from the database a second time for editing) PROS- frees up server resources, no longer dependent upon session state CONS - performance hit, high amount of code changes
I have multiple sites with main and subdomain. all doing one same method for the login. login is done with the multi domain cookie but there is problem with the logout. I'm using cookie and session for that state.
When ever I logout form the any domain. I should logout form the all domain.
(Like yahoo or google)
As per my method , My all domain have logout page which has code
[Code]....
and main site(www.domain.com) have [Code]....
So what can I change in this code to do the Logout process for the all subdomains.
In a multitenant system that hosts multiple organizations and applications, where an organization may use several applications hosted on the system, should my user and role model be such that a single user or role can exist across multiple applications and organizations? Or should I limit a user entity to a single organization/application pair and then define some overarching model to tie those user entities together? That is: John Doe is a person He wants to use ApplicationA and ApplicationB He works for two different companies (just bear with me), OrganizationA and OrganizationB Should the user model be:
johndoe@someuniquesuffix is his unique user name. This gives him access to both applications for both organizations. johndoe@applicationa@organizationa is his username for ApplicationA at OrganizationA. [URL]is his username for ApplicationB at organizationA...and the same for OrganizationB. Then have some "master" list that says that all 4 user accounts for the apps/orgs correspond to the same actual "person", John Doe?
The same scenario(s) described above applies to how I will design my Role schema.
in my web application, what i did is when the user login, i check the username and password to the database, if user name and password match then allow to visit next pages and store the user name on Session, now my doubt is more then one user can use the same username and password(if they are friends then they shared their uname and pwd) so, how to avoid multiple use login?
I am working with asp.net 2.0 and sql server 2005. so trying to describe it below:
THE SITUATION
I have a few tables to hold data for billing information. The first table has each dedicated to each location, and a serial number that can be incremented. The concept is to update this data based on location, every time there is a new bill, so may be location A has serial 25 since it is doing well but location B has serial 5.
THE PROBLEM
SO based on this requirement I need to update a table to get the latest serial for a particular location and then use that serial for other tables which will be holding the billing details. The second part is as regular as it can be, but generating a new number, and getting this value is my problem. Since this will be multi user system, so I want some robust solution. I do not know whether I can use a identity field for this purpose or not.
I have a webservice which of course has to be .net 3.5 (a side note is does anyone know why you can't create a webservice using .net 4.0?).
Anyhow it is using entity framework, which I have recently discovered was a really bad mistake to try to use this in .net 3.5.
I have a table "Licenses" with the following columns: LicenseKey, ProductCode, OrderID, Seq, UserName.
In my asp.net 4.0 application I can simply do the following to perform an update:
[Code]....
But it appears there is no ExecuteStoreCommand in .net 3.5 with entity framework. Can anyone explain to me how to accomplish the same thing? The thing I need to point out is that because this is a multi-user access service. I need to verify that SQL will only update the given record where OrderID and Seq is what I tell it ONLY if the UserName is already null. So if two users process the same statement at the same time only one would work and the other would not because the sql should fail (or return 0, rather than a 1) for the second one.
I've got a system where tasks get loaded and assigned to staff members.
I'm thinking of how I would like to somehow refresh a client page for a staff member if a new task gets assigned to that staff member. Some clerical people will be loading and assigning tasks to staff members.
How have you all handled this type of refresh in a webby environment. I'm fully jQuery and Ajax so I've got the tools...
I need to create a singleton that would hold lots of data for a spedesign patterns - Singleton behavior with multi-user requests in ASP.NETcific user. However, I am not unclear as to what the behavior of that singleton is in regard to multi-user app requests.
Here is the scenario:
On AppStart event I want to load common data for all users (from SQL) and store it as a collection somewhere within the ASP.NET storage mechanisms.
If I store that data in the cache, I would also have to create a static property in the Global.asax that would provide access to that the data from the cache.
This is not ideal because whenever an instance of any particular page, or generic handler, or what have you tries to query this data using Linq the property has to load the data from the cache... introducing latency. I need this data to be immediately available. (think of it as about 5K rows of data stored in collection of objects...)
I was thinking to use a singleton to get that data, and store it but I don't know how it would behave between requests (and postbacks), as well as application instances, in terms of its persistence.
On PostAuthenticate event I want to get user specific data from SQL in the form of a collection. If i store it as a singleton (in a similar manner as the common data) i am not clear as to:
How is the data persisted? What is the scope of that singleton (it should be for the duration of the user session). How can I ensure that the data is immediately available to whatever needs to consume it? What happens between post-backs to that singleton? If another user logs in would another instance of that singleton be created for that specific application instance?
I have to choose between Server.transfer and Response.redirect for an Intranet application for navigation. I have chosen Server.Transfer as of now because it avoid extra round trip to server and which will help when so many users will be accessing the application. (I believe this is the main difference between reponse.redirect and server.transfer). But the problem is now that URL won't change on Server.Transfer(I don't want to implement Http headerS, as I am afraid it will take time to implement that).on redirection, I want to do something like taking benefit of server.redirect(in avoiding server processing, which happens in response.redirect) and changing the URL(as it happens in reponse.redirect).Can anyone please suggest a quick solution to it or may be help me Telling How many users can reponse.redirect can support ?
Let suppose, I am building an asp.net website which has login scenario in it. I want to provide a certain functionality to the website that if the user is already login on computer 1 and now try to login on computer 2, so he will be allowed to remain login on computer 2, while automatically logout him from computer 1. I also know that http is a stateless medium, so whenever user interact with computer 1 and try to interact with the page, it will get noticed at that time.
