Security :: Common Session For Different Browser Instance
Aug 25, 2010
I am working on a website which uses a common database shared by another 2-3 websites. Now i am having a requirement that whenever a user clicks a link provided on another website and comes to my website and if the user is already logged in to my website then my website should not ask him to login again it should by pass the login page and show the next page.
Here the problem is i am not able to get the session objects in newly opened browser window even if the user is already logged in to my website in another browser window. I am not sure but i thing IE uses two different processes for two different browser instance and because of that i am not getting the session objects required. I can not ask the another website vendor to pass anything as a querystring.
I am using forms authentication in asp.net application. This is working fine in internet explorer. Opening application in firefox is also fine but when i login in second instance of firefox, application in first instance logs out. Following is my code for creating ticket and cookie.
FormsAuthenticationTicket objTicket = new FormsAuthenticationTicket(1, sUserName, DateTime.Now, DateTime.Now.AddMinutes(60), false, "");
When the browser is closed (w/out clicking on log out) and user launches the site using a new session, it does not prompt user to login credential page, rather it takes the user back to the previous session.
I have a case where i have two asp.net applications, one is hosted on example.com/App1 and the other on /App2.
both applications are password protected using Windows authentication.
App1/default.aspx has a <img src="/App2/somefile.aspx">
Now what happens when i open App1 is that i get the credentials prompt, but because App2 is also protected, the HTTP GET for the img requires me to authenticate, in other words i get two prompts.
Is it possible to do something so that the authentication is for example.com so that both App1 and App2 consider the user authenticated?
I have been spending a better part of a week trying to track down why I am not able to clear all session variables in a web app (vs 2010, vb.net). What I have tracked it down to is that when I remove or abandon sessions that my html pages or codebehind access, it works, but for some reason in any of my class files where I use "Public Shared strConnection as String = HttpContext.Current.Session("strConnection").ToString" to access a session variable, it finds the old one and not the current one. I have to wait for it to time out, go in again, and it will find the new one.
I do not use Linq, and there is only one place in the whole web app that I place the connection string in a variable whcih is when a person logs in. It points them to the correct database. The sqlconnection is set for all of my listviews in Page_Init to make sure that they aren't using any session variable that they create on their own. Interestingly enough that if I use debug to go in each time, exit debug, enter debug again trying to access a different database, it works correct each time. I assume that debug is correctly killing the session variable for the classes for me.
The web app in question provides a UI for editing a client (in the business sense, not the browser sense), identified by a ClientID. I store the ClientID in Session, which gets passed from page to page, along with a number of other pieces of data in Session. Works great.
The problem is that if the user opens a new browser window using Ctrl N or File->New Window (in IE), the new window comes up with the same page as the current page, with the same session info. Then if the user navigates to a different client in the 2nd window, the ClientID in session refers to the new client. If they go back to the original browser window and save, the original client gets saved using the 2nd ClientID, and all hell breaks loose, because now the data from the two jobs are intertwined.
I have enabled trace and verified that the new browser window uses the same SessionID as the original. If an entirely new instance of IE is opened, it has a different SessionID, so is not a problem. I have not yet investigated other browsers, such as Chrome or Firefox.
Is there any way to determine if a browser instance is opened for a web app which is already open in another window or tab? Or to prevent that from happening?
We have a very large .net site using the sql membershipprovider offered by .net. We need to join this to a ruby on rails project - allowing login to both platforms. The ruby project shoudl be able to read and write to the .net's profile information - but additionally may store extra records against the user. The .net user record should always be the master, with logins anthenticated against this. What is the best way to open up this membership provider - via api or similar. We need something that is easy to snap into the RoR solution but secure enough and extenable enough to meet our needs. Is there some way to add on openID or similar to the .net project - and would this be what is recommended or is there a better standard to allow us to link our users.
Other features we would need to have shared are: shared email address, email verification email for both platforms. Both systems have independent CRMs and email systems so unsubscribing from these would also need to be linked preferably with an independent unsubscribe system.
I'm a bit of a newbie when it comes to AD... But what I want to achieve in the first instance is to use the AD to display the staff name and e-mail address from Active Directory, when they are logged onto the company Intranet. Using the 'login status' I can display domain/username, but would prefer the 'CN' and e-mail address to be shown instead.
I'm using C# and I've got as far as putting Using System.DirectoryServices in my references and .cs file
Staff are authenticated using "Windows" authentication rather than "forms" as they would already be logged onto a PC and should not require to log onto the Intranet again
PS Tried to search through the forums, but the examples shown seem to be to retrieve multiple users / info from AD and I hope my request is a 'simpler' fix
I have a solution I'm working on in VS2010 Professional, using ASP.NET 4.0 with the AJAX Toolkit.This has been working fine, but when I started it up today, I got the runtime exception shown above. This exception occurs on any page with a control from the toolkit.Sometimes when I load a page, I get an exception "Could not load file or assembly 'System.Windows, Version=2.0.5.0, Culture=neutral, ublicKeyToken=7cec85d7bea7798e' or one of its dependencies. The system cannot find the file specified." If I then reload the page (without making any changes), I then get the exception shown in the subject line.I tried dragging an AJAX Toolkit control from the toolbox onto a page, and then deleting it, and that worked - once. The next time I tried the page (or any other), I got the exception again. Dragging a control out didn't help this time.
I've recently been tasked with fixing a rather nasty bug resulting from the misuse of session state. We have an asp.net web application that runs on a single sever using inproc session state. The basic design is that a typed dataset is loaded from the database and stored in session state using a common session variable name like Session["dataset"] = dataset. After the data is stored in the session the user edits the data, dataset is retrieved from the session updated and sent to the database for updating. This type of data editingstoring is used across multiple webforms that basically do the same thing. All is good until a user tries to launch a second instance of the application and data stored within the session variable can get mixed up. Here are the possible fixes that I've been able to find
Set sessionState cookieless="false" (every new instance gets a unique session id) PROS - easiest solution, almost no code changes needed CONS - guid in url, user can edit guid, guid can be copied Use a custom session key for every instance (pass a session key around and combine it the "dataset" + session key name so that each instance has a unique session variable) PROS - no guid in url CONS - most amount of code changes, possibly fragile Remove the session variable (Load the dataset from the database a second time for editing) PROS- frees up server resources, no longer dependent upon session state CONS - performance hit, high amount of code changes
I have hosted my web forms files and reports files two different IIS instance in same server. When user login i keep username inside session variable. According to that session variable i checking roles each web forms page load event. i share session variable between two difereent IIS instance in same server?
I have a web application using window authentication. There are a search page and a edit page in the application. In search page, user can enter some search criterias in the textboxes and the search result will be displayed in the gridview by clicking the "Search" button. User can select any row from the gridview and it will take him to the edit page. In the edit page, there is a "Back" button to take the user back to the search page. I use session variables to remember what the search criterias the user entered in the textboxes and what page number the user was in the gridview. So when the user goes back to the search page, the textboxes are pre-populated with the search criterias and the gridview is displayed in the correct page number.
The problem is: If user1 opened one browser window and did a search using search criterias1, then user1 opened a 2nd browser window and did a search using search criterias2. When the user1 went back to the search page from the edit page using the first browser window, all the textboxes and page numbers are from the 2nd browser window, instead of the 1st one. Can anyone explain this problem to me and how to prevent it? It will be helpful too if you can give me some links about the similar problem. I am thinking if the same user logged on two different machines and did the search on each machine, what is the result?
I noticed that when i am debugging my web application in Visual Studio 2005 using IIS, after about 10-15 minutes of inactivity, when I do something in the application such as a postback, I get an immediate error saying: "object reference not set to an instance" and my code breaks somewhere.Is my assumption correct that this is because my session has timed out? ( i do have a 15 minute default session time)my next question is, how do I display or set a way so that like many other pages, when the session has expired, a message will say: "This page must be refreshed" or "Your session has expired, click okay to refresh page" and start over again?
Lets say I am doing a shoping cart. I authenticate the user with a session variable.For example:
If(Request.IsAuthenticated) // Here I want to add to the shoping cart. // Can I do the following Session["Cart"] = "Washing Machine"; Now will this Session["Cart"] value which is washing machine here be unique to diff customers?
With-in my Web App, I would like to be able to create a completely new instance of Internet Explorer, keeping the original functioning as well. No problem doing a Response.Redirect or server.transfer to a new web page, but what I am trying to do here is to open a completely new explorer window. I would like to do so transferring a few session variables to it.
I created a user control for my web application that checks for Session Timeout. If the criteria are met for Timeout, I use Response.Redirect to send the user back to the login page. I include this user control in my Master page, and run the SessionTimeoutcode in the user control's Page_Init event. That all works great. However, once the user logs in again after time-out (and I have verified that the OnLoggedIn event does fire) the user is redirected to the DestinationPageUrl. That page runs the Session Timeout check when it loads (as it should) and the Session Timeout code "says" that the session is still timed-out.
In my web application, I use an exit button which runs session.abandon to close the session and then close the browser.It does not work with multi-tabs in IE. If I open my application in two tabs, I click on the exit button in one tab which abandons the session and close the tab. But the application in another tab can still work.Is there any way to close the session for this application in all the tabs?
In my website, when user logged in, I maintain his/her username in a session but when user opens another tab and use the same website at that time session doesn't work.
For Example: User logged in with his/her details in my website and than when he open another tab of same browser and browse same website at that time it doesn't maintain session for that user.
I would like to check if someone tries to access the application with the same username from a different browser/pc/etc. All usernames and passwords are stored in a MSSQL db.
What I am doing at the moment is: In the global.asax-file in Application_start(..) I initialize [Code]....
Now with every user that logs in I can check whether he is allready in ( in that case, he won't be able to log in, he'll be redirected to the login page ). Let's say it's the same user who wants to login but for some reason he wants to start the application from a different pc, maybe in a different building. Unless he hasn't forget to logout, he won't be able to login on this different computer. So he would has to go back and logout or wait for the timeout.
Now wouldn't it be more convenient to abandon the first session and let the same user login to the pc where he is right now?
The question is, is it possible to end the first session without beeing in it? Or is there any other solution for that problem? Since I have the SessionID stored in Application["UserList"] is there any possibility to end that specific session?
I need to create .net membership user instance for a database living in a different server than the one I'm coding in. What is the best way to do this?Should I do it though Sql Server stored procedure? or should I use a separate provider (therefore having 2) in my web.config?
I need to create this user without using the "create user wizard".
