Web Forms :: Session Identifier Is Not Updated Properly ?
Dec 15, 2010
I have an ASP.NET 3.5 Web Site.The application has to pass the IBM Rational AppScan before we can push to production.
I am getting the error:
Severity: High
Test Type: Application
Vulnerable URL: http://mytestserver/myapp/login.aspx
Issue: session identifiers is not updated
I am having a problem with partial postback through update panel, Update panel is not working properly in my asp.net app with IE8. But app works fine if i switch to compatibility mode of IE8.
We have a SQL agent job tied to an SSIS package that process does an Update process on the dimensions and a full process on the Facts. In the morning the cube is showing that it is processed but the new data is not present. When it is manually run the SSIS package, it seems to work fine. Basically there is job having two steps, one is to update the BI Cube and next step is to update dimensions and facts. This jobs runs perfectly without any error, but first step executes as per the expectation and second fails to update with latest data. If we try to manually run the SSIS Package of the second step it perfectly updates with the latest data.
Right now I am creating this session with the session key "PhonePart" which is also the name of object I am passing in as a parameter in first method. In subsequent methods, I use the the same name to retreive and clear session value. My problem is, this approach works fine If I instantiate a single object of the class where these methods are defined and using that object call the methods, but when I create another instance of the same class and calls for instance method AddToSession and pass that instance, it overwrites the session value stored by the first instance of the class as the session key is the same that is "PhonePart".
Considering this scenario, is it possible that I somehow grab the name of the object as string in the calling method say "AddToSession" and create a session with that name? If Yes, then I can do the same in subsequent methods and retreive session value and also clear the session specific to that instance name without affecting the other session values stored by other instances.
I have a three step wizard. On the first step I use a repeater to create a series of buttons that an individual can select from. When the user selects one of the buttons the value of the button is saved to session state. They are taken to the next step and shown a similar list of buttons that are based on what they previously selected. Thus, if you choose "Hamburger" you might receive the options of "onion", "lettuce", "tomato" while if you choose "Hot Dog" you might receive "sauerkraut" and "ketchup".Lets say an individual chooses Hamburger. This is saved into session state like so:
Public Sub Button_ItemCommand(ByVal Sender As Object, ByVal e As RepeaterCommandEventArgs) ' ******** Lets pass on the results of our query in LinqDataSource1_Selecting. Session("food_select") = RTrim(e.CommandName) Wizard1.ActiveStepIndex = 1 End Sub
Now, this works fine and dandy. But lets say I select hamburger and then realize I'm really hankering for a hot dog. I go back to the first wizard step and click on the hot dog button but when the wizard progresses to the next step I still see the options for hamburgers! The session variable has not been updated.
i am still new to using session state, i want to convert page name into and integer according to a database table a function then compares "X" and "Y" to check if a user have the right to view this page i know this is not the best way of managing website security, but it is like "training on how to use the session" what have i done wrong
Partial Class advancedsearch Inherits System.Web.UI.Page Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load Try Label1.Text = Session("username").ToString Label3.Text = Session("role").ToString Label4.Text = System.IO.Path.GetFileName(Request.Url.ToString()) Catch ex As Exception Response.Redirect("login.aspx") End Try If Label1.Text = "" Then Response.Redirect("login.aspx") End If Dim x As Integer = Int32.Parse(Label3.Text) Dim y As Integer = Int32.Parse(DropDownList1.SelectedItem.ToString) If x < y Then Response.Redirect("login.aspx") End Sub Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click Response.Redirect("default.aspx") End Sub End Class
I tried to use your code for ScrollBackposition in Chrome but gives an error in this statement. Identifier expected. Does scrollY needs to be defined as a HTML tag.
var scrollY = parseInt('<%=Request.Form["scrollY"] %>');
I need to generate a Unique Reference number that has 7 digits.
It should be formatted in the following way:
1st: B (Ball), G (Gift), C (Cat)
2nd: represents year of booking A(2010), B(2011),C(2012), etc
3rd: represents the month of booking J(Jan),F(Feb),M(Mar),A(Apr),Y(May), U(Jun), L(Jul),G(Aug), S(Sep),O(Oct),N(Nov),D(Dec)
4th: days of booking A(1st) - Z(26th), 1(27th) - 5(31st)
5,6,7th: These are counters for the number issues each day. Each can be A-Z,0-9 giving a total of 46,656 combinations. So 0 is first, then 1, 2, 3, 4, 5, 6, 7, 8, 9, A-Z, then 00 to 0Z, then 10 to 1Z, then 20 to 2Z, etc
Now , the 1st Digit is a Character that I generate based on a condition and that shouldn't be a problem.
I have written a SP which checks if a table(variable) exists,And removes the table if it exists,
SET NOCOUNT ON; DECLARE @SQLQUERY varchar(1000) SET @SQLQUERY='IF EXISTS (SELECT * FROM dbo.sysobjects where id = object_id(dbo.' + @tableName + ')) drop table [dbo].' + @tableName exec(@SQLQUERY)
I realize that user names are unique, but is there another identifier associated with the username? If there is, how do I find out what it is for the user who is currently logged in?
I have a fresh install of 10g ODAC that I have loaded. My Oracle client interface connects to the db just fine but when I attempt to connect with my ASP.NET project, I get the following error: ORA-12154: TNS:could not resolve the connect identifier specified
I found a lot of stuff on this topic but nothing that matches my problem.I'm coding a simple search function and came up with this code:
Dimsql As String = "SELECT DMS_files.id, DMS_files.descriptionSV, DMS_files.description, DMS_MainCategories.categoryNameFI AS 'main', DMS_SubCategories.categoryNameFI AS 'sub' FROM [DMS_files] INNER JOIN DMS_MainCategories ON DMS_files.cid=DMS_MainCategories.id INNER JOIN DMS_SubCategories ON DMS_files.scid=DMS_SubCategories.id WHERE (DMS_files.descriptionSV LIKE '%" & str & "%' OR DMS_files.description LIKE '%" & str & "%')" If (User.Identity.IsAuthenticated = False) Then sql = sql &" AND DMS_MainCategories.allowPublicSearch = 1" End If
With this I get the error "Multi-part identifier 'DMS_MainCategories.allowPublicSearch' could not be bound". But if I put the line straight to the first string, like below, it works.
Dim sql As String = "SELECT DMS_files.id, DMS_files.descriptionSV, DMS_files.description, DMS_MainCategories.categoryNameFI AS 'main', DMS_SubCategories.categoryNameFI AS 'sub' FROM [DMS_files] INNER JOIN DMS_MainCategories ON DMS_files.cid=DMS_MainCategories.id INNER JOIN DMS_SubCategories ON DMS_files.scid=DMS_SubCategories.id WHERE (DMS_files.descriptionSV LIKE '%" & str & "%' OR DMS_files.description LIKE '%" & str & "%') AND DMS_MainCategories.allowPublicSearch = 1"
I am just wondering how do I get the very last row of a join statement if I don't have any unique identifier... as in row_number field?Is there a way of creating a dummy column on my SQL statement to hold the record numbers of all records ..[1 to n] etc ???Id like to know how to do this and then I can get the MAX record number.Im using SQL server 2005 so the last() function doesn't work.
I'm creating a website with sql server db (built in membership database). I design it best possible. Im reluctant to use text fields as identifiers, but this is pretty much my first sql server db.
1. The user registers himself, at the same time registering his company/organisation. I dont think many of them will have the need to register themselves to other companys (N:N) but you never know (anyway not a main concern at the moment).
2. This user becomes a superuser (level1), with the ability to register other users to the same company (level2 users). Finally level1 can register level3 users to the same company.
So you see the identifier will be everywhere in the sql commands. There are quite a few N:N relations as well, which I guess slows it down even more. The selections typically retrieves a few hundred to a few thousand posts, but like I said, many will be in N:N relations.
I'm going to write my own Authentication module and I need a unique identifier base on users requests header , I think [(user IP)+(user Agent)] can be reasonable but I know it's not completely safe do you know any other options or methods?
Code: <asp:SqlDataSource ID="SqlDataSource1" runat="server" ConnectionString="<%$ ConnectionStrings:SQL2008R2_799650_xnacsConnectionString %>" SelectCommand="SELECT [ArticleTitle], [articlehtml], [submittedby], [datesubmitted] FROM [Articles] where articleid ='@id'"> </asp:SqlDataSource>
and code behind is taking a url param (guid) and passing it to the select above it looks like this:
Code: protected void Page_Load(object sender, EventArgs e) { string id = Request["article"]; as simple as that, the problem is the page falls over saying it cannot convert string to Unique identifier, I'm new to asp.net but not c# so there are a few bits i'm trying to get my head round..
i have a web application with form identification agains ActiveDirectory. The user is added to the aspnetdb and then we add his roles and profile.heres my question. If you have a user with "abcdef" for his sAMAccountName and then this user quit the job and someone else came in and we give him the SAME sAMAccountName, how aspnet will react? i guest it will see that the sAMAccountName already exist in the aspnetdb and will use it? if its true, then i will have a problem that the new user will inherit the old user access and profile!how can i solve this? i know theres a objectGUID attribute in AD that i can use but how can i use it with aspnetdb?