Membership Services Is Separate From Session / Forms Auth Token Is Still Hanging Around In The Browser
Feb 9, 2010
In our application, we have a need for a user to "impersonate" a different user. Think of it as a hierarchy -- Bob is above Frank in a hierarchy. Bob is logged in, and he needs to do things in the system for a short time as Frank. So, we have given Bob a list of users that report to him, and an impersonate link. He clicks on this link, and, behind the scenes, I log Bob out, and log in as Frank. I also set a session variable that tells me that really Bob is they guy who is the user. Also, Bob (acting as Frank now) has a nice little link at the top of every page that says "Stop Impersonation."
In addition, when Bob is impersonating Frank, Bob is restricted from doing some things, like changing Frank's password.
This was working great, until we encountered a situation where, if the session (I think -- getting confused here) gets destroyed (such as when I copy up new code and dlls to the live site), then when Bob clicks on "Stop Impersonation" he gets redirected to the default page, and is still logged in as Frank, but without the Impersonation session variable. So, now Bob really is logged in as Frank, and can change Frank's password (among other things).
How is it that a session variable (Impersonation) gets destroyed, but I guess the session is still hanging around, because it doesn't make the user log in again?
This is a somewhat serious bug for how our system works (bug in our code, I'm sure, not in .Net). We are using ASP.Net c#, aspnet membership services, .net 3.5, forms auth...not sure what else you need to know.
EDIT: Updated information. Looks like when "something" happens, for instance, when I recompile some dlls and copy them to the webserver, the session gets dumped. Or, rather, the variables in the session get dumped. The session id stays the same. I do get to check for Session.IsNewSession and it returns true, even though the id is the same as it was before.
Just like Utaal mentioned, Membership Services is separate from Session, so it's forms auth token is still hanging around in the browser, but my session variable telling me that that isn't really the user who is controlling the browser isn't there anymore.
EDIT: Sky, here is what I'm doing to authenticate a user. I can't figure out where I would insert a ticket into this flow:
if (Membership.ValidateUser(txtUserName.Text, txtPassword.Text))
FormsAuthentication.SetAuthCookie(txtUserName.Text, false);
View 2 Replies
Similar Messages:
Feb 21, 2011
We're running IIS7 and have windows authentication enabled. Everything else is disabled. When we go to the page though, we aren't prompted for a windows logon, but are redirected to the default forms authentication login page (Accoun
View 1 Replies
Sep 26, 2010
if it is possible to use a WCF Dataservice as the MemberShipProvider for a forms auth application. I have written code for a provider (below), but I do not know what to do as far as a connection string, or any other web.config properties.
Please Help!!! Here is the code for my provider, anytime it says Odbc that is because I based this off of the custom Odbc provider on the msdn site. The only ACTUAL references to any odbc connection are in the comments:
[Code]....
View 1 Replies
Nov 18, 2010
I need this up and running quick but I spent the last few hours researching/worrying about which would be better:
Asp.net Forms Authentication
vs
Custom Header Token:
On the server
[code]...
View 1 Replies
Feb 23, 2011
Been scratching my head on this one today quite a bit. Time to ask the guru's.Implementing your basic Forms Auth for a 2.0 web app in conjunction with SQL Membership Provider and Role Provider. Web.Config from virtual directory root
[Code]....
All other subdirectories do not contain web.config files but rather wanted them to just work off inheritence from the root web.config. Upon publishing of this setup - I am having one hell of a time maintaining the user 'authenticated' state. (Not sure if that's the best explanation of what is going on.. but)
View 4 Replies
Feb 17, 2010
We have developed a system to allow users to access another one of our web applications by placing a token in the db and then when they redirect passing this token in the browser to the new apop and using that as an authenication method. However I am thinking that it might be better to simply place this token in the browser cookie as then the user doesnt have to physically click a link they can simply do straight to it because the token wont be in the query string anymore....
Will it add much of an overhead doing it via cookies are there any disadvantages?
View 4 Replies
Mar 18, 2011
I'm writing up a security document and it would be great if programmers in other languages than PHP could chime in on (perhaps the default) way sessions are passed by URL in their language's default session handler.
eg. PHPSESSION=token in PHP
Oh, and if yes does it also use cookies?
View 2 Replies
Jun 15, 2010
I've two application ASP.NET (once is Mojo Portal). I can navigate from one to other using an URL token id.
To this way, by token, I create a new session and save the relative auth cookie.
But, sometimes, the asp web application don't keep the session and put me down. When this happen I can't login until the session cookies is not deleted.
Both the two application are behind an reverse proxy.
View 3 Replies
Nov 1, 2010
Do you keep the developer's control panel and the application's web service, in 1 project? or do you separate them into 2 different projects?(Developer's control panel, is used to setup the web service API, check logs, read document specification, and details about each web service)When you host the solution you would do something like this..developer.domain.com <-- developer's control panel
api.domain.com <--- web service api
or
api.domain.com <-- both developer's control pnel and web service api
View 2 Replies
Feb 1, 2010
The session state timeout is set using this web.config element
<sessionState mode="InProc" cookieless="false" timeout="120" />
The forms auth is configured using this web.config element
<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.aspx"
protection="All"
timeout="30"
name=".ASPXAUTH"
path="/"
requireSSL="false"
slidingExpiration="true"
defaultUrl="default.aspx"
cookieless="UseDeviceProfile"
enableCrossAppRedirects="false" />
</authentication>
</system.web>
What is the difference between the timeouts specified in each of these elements? If both are different, how would it work?
View 2 Replies
Jun 1, 2010
I have a web application which uses membership and profiles. I successfully used the WebProfileBuilder extension, so my profile class is correctly generated, and is working nicely. However, after a new request of my client, I need now to move that profile management part into another assembly (so I'd be able to get profile information in a windows service running on the same machine).
What I made is created the new assembly, moved my generated profile file, and tried to use it from the other assembly, but without any success. I always get a SettingsPropertyNotFoundException. My thought is that the profile system doesn't know where to find its connection information, so I tried to add the connectionstring and provider in the app.config of this assembly, but this doesn't seem to work.
View 2 Replies
Sep 21, 2010
I am using asp.net membership for all the users and roles, right now i have a website on which i have created 2 roles "admin" and "member" in this website i create accounts, so all the accounts are separated/distinguished by account name now i was to add one more role "accountholders" and i want to add this role in such a way that an account holder will be able to see his / her account's stuff ...
i as admin will be creating username and password for accountholders and i will provide them their login credentials so that they can login and see what's in their account. My idea of creating account is that, the accounts that i have in my database will be the key, so when i will create username for particular account , in the create user wizard i should have a drop downmenu will all the accounts name. so the user that i am
creating will be linked on that account only ..
View 4 Replies
Jul 17, 2010
I am using the ASP membership services to create and manage users. I notice that on user account registration everything works fine... Until I call Roles.AddUserToRole, and suddenly I get a second user account created in the aspnet_users table. I am quite certain that I should only ever have one user account in the database per registered user...
View 2 Replies
Sep 13, 2010
Is there any way to use Asp.net's membership services through a web service? My boss, for some reason, wants this...
View 1 Replies
Feb 28, 2010
how to maintain session id in windows services in c#.net ,please help me regarding this issue.
View 2 Replies
Sep 29, 2010
In parent page there is an imagebutton. What I want to when user click this image button, another page will open with width=200 and height=100 with no toolbar.
View 11 Replies
Aug 27, 2010
I am using uploadify to upload files to the server. After the user selects one image, a callback is issued and the image is stored to the server. To track which images are saved, I stored each item in a generic list and later store that list inside a session variable.
The problem is, the callback has a different session then the page where I will be posting back to parse the session variable.
My question is why do callbacks have different sessions then the underlying page that issued the callback.
View 1 Replies
Jul 23, 2010
best and secured way to pass the asp.net session token from page to page.
1. cookies (not secured)
2. url (not secured)
3. hidden fields ?
using hidded fields is right way to pass ? how to pass using hidded fileds? how to disble the session token in cookies and also in url (session state conguration)?
View 1 Replies
Jul 15, 2010
I have a website live in asp.net
now if user closes browser. the session does not get killed.
I spoke with friend and he said that cannot be done as sessions are on server.
but i see banking website who kills session when browser is closed.
View 10 Replies
Aug 5, 2010
I have been spending a better part of a week trying to track down why I am not able to clear all session variables in a web app (vs 2010, vb.net). What I have tracked it down to is that when I remove or abandon sessions that my html pages or codebehind access, it works, but for some reason in any of my class files where I use "Public Shared strConnection as String = HttpContext.Current.Session("strConnection").ToString" to access a session variable, it finds the old one and not the current one. I have to wait for it to time out, go in again, and it will find the new one.
I do not use Linq, and there is only one place in the whole web app that I place the connection string in a variable whcih is when a person logs in. It points them to the correct database. The sqlconnection is set for all of my listviews in Page_Init to make sure that they aren't using any session variable that they create on their own. Interestingly enough that if I use debug to go in each time, exit debug, enter debug again trying to access a different database, it works correct each time. I assume that debug is correctly killing the session variable for the classes for me.
View 4 Replies
Jan 24, 2010
I have a menu control on a master page with mouse hovering effects that is populated dynamically. Now i am playing .flv video on the content page. Everything works fine, but when a mouse is hovered on a menuItem, .flv video is hanging. Is it because of javascript execution when the mouse is hover on a menuItem?
View 1 Replies
Mar 16, 2010
I have two WCF services configured with ASP.NET compatible mode to allow them to use ASP.NET session state. The problem is as follows:
1.- A call to the first service stores a value in the ASP.NET session state.
2.- A second call to the first service can read that value.
3.- A call to the second service can't read the ASP.NET session state value.
It seems that the ASP.NET session state is not shared between the two WCF services. Is there a way to share ASP.NET Session state between two WCF Services?
View 2 Replies
Aug 10, 2012
In my website, when user logged in, I maintain his/her username in a session but when user opens another tab and use the same website at that time session doesn't work.
For Example: User logged in with his/her details in my website and than when he open another tab of same browser and browse same website at that time it doesn't maintain session for that user.
View 1 Replies
May 1, 2010
I'm missing a the code browser when I create pages that have the code not placed in a seperate file. For pages with .asp.vb files I get the browser correctly.
I think it's called a code browser but just in case it's not I mean the dropdown that shows Page Events, Buttons and other controls that can be selected along with their events.
How do I turn on those dropdowns for pages with code behind that uses <script> tags in the actual .aspx page?
Included (Showing page events just under the tab):
Missing
View 1 Replies
Jun 2, 2010
I am finishing up my asp.net web application targeting .net 4.0. I am using VS2010.
I have deployed my application to a host server and now I am testing with multiple different browsers.
The first issue I ran into comes down to the following code:
[Code]....
If I use IE, login and click something that causes the above code to execute then currentUser is NOT null. However doing the exact same steps in FireFox currentUser is null, even though I know I am logged in as my name and other indications on the webpage confirms I am.
------------------------
Update
----------------------
Since originally posting this thread I have done more testing.
I placed a test button on a random page and the button click will update a label on that page indicating if the currentUser is null or not. This button works both in IE and in FireFox. Also both running locally and running on the host server.
----------------------
So now I am looking at what is different about the one place it appears not to work so let me try to make this clear.
I use a component called Uploadify to upload images into a database. That component calls a page/request called ImageUploader.ashx which inherits from IHttpHandler. Here is all the pertainent code from that file.
[Code]....
The problem is when calling from FireFox, imgProvider.Status = null. This is a problem because the ImageProvider will try to insert a record into my database and the column for Status cannot be null so that causes it to crash. I made the change to detect if Status = null and return the user id if so as an error message to help me debug. To understand how Status is set you only have to look at a little code in the ImageProvider class:
[Code]....
You will notice when the ImageProvider is created it calls ClearFields(). Inside ClearFields() is where it gets the currentUser and if not null it sets the UserID property, which case the setter for UserID must set Status to either Approved or Pending. Whats happening is ONLY in FireFox, and after more testing, ONLY on the host server does currentUser = null even when I am logged in. but in other areas of code I can get currentUser and it works, also this works fine with IE, it also works fine with FireFox running locally. So I have icolated it down to this specific piece of code, when using FireFox, when running on Host server.
View 9 Replies