Security :: .Net Security Challenge Does Not Include Session Variable Upon Reroute
May 1, 2010
I'm hoping this is a simple configuration setting that I have incorrectly defined. I have an application that has a secure (members) area. If a customer tries to browse directly to the secured page (http://www.mysite/members/memberpage.aspx) asp.net loads up my login.aspx page. When the user successfully authenticates from the login.aspx page in they are taken to the secured page they originally requested (so far so good!).The problem I have is that I run some SQL using the User.Identity.Name on the secured page as a reference to who the logged in user is. This way I can show some customer specific information. When I take the login route outlined above, the SQL doesn't seem to run (or the Session Variables aren't loaded yet?)... my page loads up with no customer information in it. If I browse to another page and then back the customer information shows up and all is well.
View 1 Replies
Similar Messages:
Mar 17, 2011
Is it possible to bypass the NT challenge login, and just have a standard webform login, then authenticating programtically as that user and passing those credentials manually to my connection string so that the database sees me as that user?
View 1 Replies
Jan 21, 2011
Is there any way that I can create a session variable AFTER authentication? It needs to be populated from the users record in a sql database. Basically I tried using Application_AuthenticateRequest in global.asax with an application variable but this made it available to all users. Using session_start is not working as when this runs my user is not currently logged in, so the variable is always empty when I try and grab it's value.
View 3 Replies
Apr 2, 2010
i got one register page and register confirmation pagethe first page i use it to let user enter all the data to registerfor the second page, i put a createuserwizard and use session to display all the entered data here problem is, all the data in label form can show except username, password and e-mailWhich i make them textboxI have declare them in the Page_Load (I use username only as example since all field is about the same)
[Code]...
View 1 Replies
Aug 3, 2010
I'm sure I've done this before, but can't remember the syntax. How do I include a session variable in nagivateUrl in a hyperlink?
I've tried this:
<asp:HyperLink ID="lnkMyLink" runat="server" Text="My Link"
NavigateUrl='<%# "http://absoluteURL.org?param=" +
Session["myParameterValue"].ToString()%>'></asp:HyperLink>
and this:
<asp:HyperLink ID="lnkMyLink" runat="server" Text="My Link"
NavigateUrl='<%# String.Format("http://absoluteURL.org?param={0}",
Session["myParameterValue"].ToString()) %>'></asp:HyperLink>
View 2 Replies
Mar 29, 2011
For my current project I am using form authentication.What occasionally will happen is a user will timeout (unbeknownst to them),they try navigating to a different page (call it Page B) and they get kicked back to the login screen.This is fine and I have no problems with this.
However,after they enter their credentials and are authenticated they are redirected back to "Page B" and an error is produced because a session variable wasn't loaded. This is due to the fact that they were redirected to "Page B" instead of the page they would normally hit after a login (call it Page A).Is there anyway to force the user to go to Page A instead of Page B in these situation to avoid these errors?
View 2 Replies
Jun 10, 2010
I'm trying to see what is the best way to include some protection against XSS in a web app but it needs to be easy for the developer!
Let me explain. I'm going to provide a library for the developers which will include the security controls. I'm thinking I have two choices:
1) Include some HTML encoding functions in that library e.g. AntiXSS and let the developer call the function every time he needs to output something
e.g.
Response.Write(AntiXss.HtmlEncode(value));
2) Create a new write method
Response.Writesecure(value)
The writesecure method would then call the appropriate functions and it would be transparent to the developer.
Additionally, I can write some easy code analyis scripts that will identify the use of the standard Write method...
View 3 Replies
Feb 3, 2011
I created a user control for my web application that checks for Session Timeout. If the criteria are met for Timeout, I use Response.Redirect to send the user back to the login page. I include this user control in my Master page, and run the SessionTimeoutcode in the user control's Page_Init event. That all works great. However, once the user logs in again after time-out (and I have verified that the OnLoggedIn event does fire) the user is redirected to the DestinationPageUrl. That page runs the Session Timeout check when it loads (as it should) and the Session Timeout code "says" that the session is still timed-out.
View 1 Replies
Nov 22, 2010
Currently in an .aspx file, I am storing a value (filename that was created in that session) in an hidden text box. When the user clicks on the "Print" labeled Hyperlink control, it opens the file that was stored in the hidden text box control. But when the user goes to different screen (in the same session), I loose the filename value that is stored in the hidden text box control. So I would like to store the filename variable in a session variable. So that if the user leaves this .aspx file and comes back to this .aspx file I can load the value into the hidden text box from the session variable.
View 11 Replies
May 20, 2010
I would like to check if someone tries to access the application with the same username from a different browser/pc/etc. All usernames and passwords are stored in a MSSQL db.
What I am doing at the moment is: In the global.asax-file in Application_start(..) I initialize [Code]....
Now with every user that logs in I can check whether he is allready in ( in that case, he won't be able to log in, he'll be redirected to the login page ). Let's say it's the same user who wants to login but for some reason he wants to start the application from a different pc, maybe in a different building. Unless he hasn't forget to logout, he won't be able to login on this different computer. So he would has to go back and logout or wait for the timeout.
Now wouldn't it be more convenient to abandon the first session and let the same user login to the pc where he is right now?
The question is, is it possible to end the first session without beeing in it? Or is there any other solution for that problem? Since I have the SessionID stored in Application["UserList"] is there any possibility to end that specific session?
View 3 Replies
Aug 28, 2010
I am using Forms Based Authentication. I have extended the Forms Authentication Tables creating a custom table called Profile_Contact that holds the user's GUID, username, email address, and other information. I have another table called Profile_Account which holds company account information such as Company Name, address info, phone numbers etc. This table has a Key Field called IDProfileAccount. I include the IDProfileAccount field in the ProfileContact user table so I can associate the user with a specific Company. For the login page, I am using a basic login page created with using the Visual Studio login controls. When the user logs in, they are sent to the appropriate page as identified by the role the user has been given. This all works great.
Now I need to extend the login page so that when the user logs in not only is the user's name and GUID placed in session, I would also like to have the IDProfileAccount record placed in session as well so that I can filter the records the user sees as only those records of the Company the user is associated with. I know how to add static variable to a session and how to retrieve them to filter data, what I need to know is how to retrieve the data from the SQL table on login and sending it to the session. I would think it would be something along these lines:
[Code]....
View 3 Replies
Dec 9, 2010
can we grab a global variable or Session or View State variable in the javascript or using jquery?
View 2 Replies
May 17, 2010
I have a web application which uses a session variable to store the logged in userid. If no user is logged in, of course this variable will be empty and the contents displayed on my website are meant for guests. If there is a user logged in, the user specific controls/access/links will then be a displayed.
I am now having issues with my hosting where on shared application pool, the worker recycle is triggered every 90 minutes, this will clear sessions causing all my users to be logged out. I opted for a dedicated application pool, which got worse because I am only allocated 50MB memory limit and if this is reached, the worker recycle is triggered and I lose my sessions again. I have tried as much as possible optimization techniques, e.g. dispose where possible, close connections, disable viewstate for static controls etc but my memory per instance keeps building up from page to page without any signs of improvement. I don't use loops nor store huge objects like bitmaps etc but my sessions are now gone even faster than 90 minutes in shared application pool before.
I have considered using SQL Session State but there isn't a simple guide on using this with MySQL. I am getting desperate and considering using a public variable, a string as a replacement to store logged in user id instead of in a session variable. I am pretty sure this will solve my issue with sessions being recycled but are there any negative consequences of doing this? One problem I can think of is if the user closes the browser, the system will never know that the user is now logged out and this public variable should be nothing. In this scenario, will the GC eventually clear this abandoned public variable.
View 10 Replies
Mar 15, 2010
I'm using the ASP.NET login control.
How can I set the session timeout?
View 2 Replies
Feb 4, 2011
I have an MVC web app and want to setup the security in a fashion that is NOT persisted. The problem is that if a user logs in and closes the browser (all instances) and open a new browser, goes to the site heshe is logged in automatically. I want the "session" to expire if you close the browser but I cannot seem to get the answer.
I have authentication mode="Forms" in the web.config and all my usernamepasswords are kept in a custom SQL DB. I can see that on login, Asp.net drop a cookie called ".ASPXAUTH" that expires in 30 minutes. I changed it to expire "At end of session" but if I close the tab I can see that that cookie is still active.
What do I need to do to get the browser to force a login if the user closes the tab or browser?
View 4 Replies
Mar 16, 2010
I got this login system where I need to set a session for when a user log's on, eacth user have 2 id's, and I need to get one of them to get the right content from my DB... So how do I get my users id's from my session's?
View 4 Replies
May 5, 2010
I am doing web based projects in dotnet. Currently I am implementing security using session variables. I keep current user id and user type in session and authenticate user from these session variables (say Session["UserId"],Session["UserName"] and Session["UserType"]).
I've heard that such security can be broken and applications can be hacked very easily, like it is possible to get session id and directly connect to that session id etc.
View 1 Replies
Feb 24, 2011
I recently read an article on making ASP.NET sessions more secure here and at first it seems really useful.
Previously I had been storing the user's IP address in the session, then making sure in every subsequent request that the requesting IP was equal to the stored IP.
The code in the article also protects the session by checking the IP address, except it stores a hashed message authentication code containing the user's IP as part of the session cookie. It creates a hashed MAC twice every request, which I imagine would slow things down a little.
I can already see a potential flaw in their code: if you were to somehow get a hold of the key used to generate the MAC, you could then generate a valid MAC with your own IP - you wouldn't even have to fake the IP the session was started on.
It seems like an overly-complex solution to a simple problem which not only incurs a larger overhead but also is more susceptible to attack than the trivial method - unless I'm completely missing the point.
So, why would this approach be any more secure than the more simple approach that I had been using?
As a slight aside, the author also states that you shouldn't use the whole IP address in the comparison, as some user's IPs change every request if they are behind a proxy. Is this still the case if you check X_FORWARDED_FOR?
View 1 Replies
Jan 2, 2011
using the Login control, which I just dragged and dropped from the toolbox, when the user successfully enters his or her username and password, I want the username text to be set as a session.
View 2 Replies
Jun 4, 2010
Using Membership. How that when you first login Save user name?
View 5 Replies
Jan 24, 2011
I don't believe the built-in membership saves username in session, does it? If I'm not mistaken it's saved in a cookie.I've implemented the ImageManager add-on for tinyMCE and trying to set the default folder for images based on authenticated user's username. Looks like out of the box, ImageManager allows this by getting the username from session.
View 1 Replies
Mar 10, 2011
I would like to insert a GUID into my table, then pass that variable to another page where I will use it in an email validation. Is this how you create a GUID?
[Code]....
Is this how I would insert it into my table?
[Code]....
View 6 Replies
May 13, 2010
I have a web site that streams on demand video content. The video content is stored and delivered from a seperate SMD platform. My website submits a url request to the media server in order to get the media to display. My user session data is held in a sql server database on another seperate server.
I think the best way for me to do this is to create a web service that can validate a session id. So when I create the url on my web site I include the encrypted session id. The media server then sends this encrypted token to my web service which in turns decrypts the token and validates the session id against my database and then returns whether valid or not which is used to check if the content can be displayed.
View 2 Replies
Feb 19, 2010
My web.config file contains:
<system.web>
<membership defaultProvider="AccessMembershipProvider"
userIsOnlineTimeWindow="30">
<providers><clear/>
<add
name="AccessMembershipProvider"
type="Samples.AccessProviders.AccessMembershipProvider, SampleAccessProviders" .... >
</providers>
<membership>
I expected this would set 30 minutes as timeout for inactive sessions, but they seem to be timing out much sooner.
Is there some other way to specify time for session timeout ?
I know I am using an unsupported AccessMembershipProvider which I was forced to do because my host service does not support SQL Server Database (so I am using an Access Database).
However, this AccessDB provider seems to work fine in all other respects. I'm suspecting that the early timeout is because of some other obscure setting.
View 1 Replies
Sep 3, 2010
I usually like to do it the hard way,just to get a feel of what you can do!In ASP.net there is probably a really simple way Forms authentication etc.but this is what I have.I know from previous experience that you should never save a Cookie that contains a password,so how to connect a session to a cookie when the user accesses the website,with saved cookies information.
I though about using a Guid,in the cookie,and then check the database to see if that guid is available,but this could be a sort of password like effect.
[Code]...
View 1 Replies