I am doing web based projects in dotnet. Currently I am implementing security using session variables. I keep current user id and user type in session and authenticate user from these session variables (say Session["UserId"],Session["UserName"] and Session["UserType"]).
I've heard that such security can be broken and applications can be hacked very easily, like it is possible to get session id and directly connect to that session id etc.
I am using form based authentication in one of my website. I issue AuthenticationTicket on successful login and use this ticket to validate request. but now I need to store other variables immidiately after authenticating request (just like adding session for username, email etc. variable after successful login).
My question is if I make use of session to store variables, do I need to concern about it as form based authemtication is cookie based and it is not related with session timeout.
i am trying to collect 2 variables from one hyperlink, and use those variables in the page_load to set as session. but i don't know how to collect those 2 variables
i would like to collect '#FF0000','#FFE4E1' or direct set '#FF0000','#FFE4E1' to string then send to pageload, how can i do this by only clicking on it ?
I use some session variables to get the job done(shopping cart, etc) but it is not stable..manytimes I get no items in session object and other times(refreshing the page) I get missing data...I downloaded the entire site code to my local pc and debugged it and run it succesfully without any session data missing...When I run it in the server, I get bad session again: no products in shopping cart or products with missing quantities...
The same website runs smoothly in our production server too....The problem is with our development server...
I have some code in my page load event where I just want to fire once when the user opens the Browser. The only issue is if you open a new tab with the same website the session variable does not reset. Is there a way to reset the session variable when you open a new tab or do you have to take the whole web browser down for it to clear the session variable.
There are reams of info out there about things causing InProc session to drop session objects, but that's not what's happening here. We're missing individual variables within stable InProc session objects, and are not sure whether they're not being written or being lost after a successful write. I've confirmed with WinDBG that the sessions are live and contain some, but not all, of the data written to them.
This code is pretty straightforward, and it works flawlessly in Test. In Production, under heavy load, though, it fails ~1% of the time. If Mr Smith visits the site and attempts to display 4 pieces of image data, 2 of them might be saved in his session and two of them be lost. The InProc session object for Mr. Smith exists. The traffic logs show he clicked 4 times, each with a different id param. But there are only 2 guids in his InProc session object, instead of 4. The 2 session objects we did capture do correspond to 2 of the id's shown in the traffic log (his 1st and 3rd clicks.) The traffic logs for his 2nd and 4th clicks, though, show a guid id that's not in his InProc session object.
Lines 1&3 of the above code obviously worked for those 2nd and 4th clicks, or he'd not have had the id in the URI for him to click. Line 2, however seems to have failed silently in some way. If any exception had been thrown, I'd expect we'd not ever have arrived at line 3. I can't see any way for the user to receive the guid id, but the session to fail to have it. The other possibility is line 2 worked successfully, but the variable later disappeared, how I cannot even imagine.
Details: ASP.NET v3.5 IIS 6 No Web Gardening
We're running a web farm, but users constantly return to the same server. I'm researching now whether there's any way users might be slipping off to the other server.
i have implemented the the openid in my page using dotnet open id when i get authenticated iam storing the details provided by openid provider in my database and creating a session of that username and redirecting the user to login protected page it is working fine but some time if i left the page idle for some time and then do any kind of postback then the session is lost and my page do not allows me to do any thing as it is login protected some time it is working fine without any problem. can you suggest me why is it so.
I need an example on how to implement AES encryption/decryption in .NET. I've been googling but haven't yet found any good examples. I've for example found AES example whih after some research wasn't 100% AES. I have to make sure by AES encryption/decryption is 100% AES, as I have to send email to the authorities explaining how I use AES (with secret key all), so they can hire some encryption expert which verify that we encrypt/decrypt it correctly. So he can verify that the what I implemented in AES is actually 100%. I'm reading the AES standard and how it's to be implemted in .NET Here is some code I'm having trouble with:
[Code]....
Which throws an CryptographicException: Specified key is not a valid size for this algorithm.
I am about to deploy an ASP .NET application (developed with LINQ-to-SQL). I have taken following precautions: Database access via user with limited access, however, since application is to access the sensitive data, I can't deprive this limited access user from it Database server is not exposed to external network - is hiding behind DMZ and all external ports are blocked I have done thorough security testing of the web-application; SQL Injections, rights management, illegal data access (via post/get data tempering) Application is operating on SSL
1 - I am using ASP .NET authorization API; any recommendation for avoiding session hijacking (in case someone some-how gets to know the session key). Is there are way to change the authentication cookie less prone to threats? Say like, changing it after every request? (I know I am get very conscious about this particular item)
2 - Data in the database is not encrypted. To make things ultra-secure, I am thinking about implementing transparent data encryption. Can someone share his/her experience or a link about implementing data level encryption with SQL Server 2008 along with pros-and-cons?
3 - Recommendation for storing connection string in web.config. Is using integrated security better then using encrypted database connection string?
Am trying to design login page for my website and I am looking for methods other than forms authentication. The way in which I am trying is to have a table in the database that stores user information and check for the user validity.
The point where I get struck is how do i set cookies and session variables and how will I carry it through out the system. Can anyone tell/suggest me where I can relevant material so as to move forward. And also is my idea of negating traditional forms authentication and going for a model I described, is it good also does any other better method exist?
I want to password protect an area of a website by a login/registration form.
I'm using session variables to check wheter the user is logged in or not. I already have a database with users/passwords... so I thought that the membership approach wasn't an option... (correct me if I'm wrong)
in the constructor of the controller of the area I want to protect I've added the following:
[Code]....
but this throws an error:
Server Error in '/' Application.
Object reference not set to an instance of an object.
Description: An unhandled exception occurred during the execution of the current web request. review the stack trace or more information about the error and where it originated in the code.
Exception Details: System.NullReferenceException: Object reference not set to an instance of an object.
Source Error:
[Code]....
Line 28: this.productsRepository = productsRepository;Line 29: Line 30: if (Session["user"] == null)Line 31: RedirectToAction("List", "Products");Line 32: }
I am working on an asp.net mvc app.Right now I am looking for the best solution to access session variables. Is it oke to make a static class to get session variables, like:
[Code]....
And so on for other session variables.Is it allowed to access session variables in static model classes ?
In my .NET web app, I keep basic user info in a user session object. I also usually keep a director class in the session; which is basically just has info about whatever thing it being worked on on that screen (like a customer id).
I am trying to keep from adding a ton of sessions. I also want to make sure at any given time ONLY the sessions that are necessary are in memory.
This means I need an effective way of managing my session variables.
I am using ASP.NET 2.0 and C#. I would like to know if the Session variables are Case-sensitive.
Is Session["StudentId"] and Session["StudentID"] considered the same.
Which would be the proper way to access the session details, when in a page someone passes data as Session["StudentId"] and somebody else passes as Session["StudentID"]?
I have a situation where my session variables seem to get corrupted. I Page_Load I am calling 2 subs. Each of them fills a GridView with data from a table. I am saving the content of each Data.DataTable into Session Variables:
After I call the 1st sub and I debug the session variable "mySqlDataTable1" contains all the data from the table. After I call the 2nd sub and I debug the session variable "mySqlDataTable1" has been changed and contains a mix of data from the 2 tables.
I'm trying to pass some variables from one page to another via the session state and then post those variables to labels on page 2. When I try to write the code for my labels on page2, I get an error of "Declaration expected"Here is my code from that page:
Partial Class Default2 Inherits System.Web.UI.Page Dim firstname As String = CType(Session.Item("FirstName"), String) [code]...
Am I missing a page_load event handler or what am I missing?
I have an ASP.NET application with 5 .ashx HTTPHandlers that implement RequiresSessionState or IReadOnlySessionState.Upon calling the first handler I create a variable and store it in the session.When I call the next HttpHandler the variable is not available in the session object.I am use context.Session.I have a global.asax where I retrieve the sessionId.Is there a way to preserve session variables across HttpHandlers or does each Handler get its own session?
I am having with asp.net app inside of SharePoint (as page viewer).
When the Default page is loaded, it works fine. However, when I try to go to next page, i am getting a null reference exception. It looks like my session variables are becoming null on the next page (even though I set them on the previous page). Here are a couple things that I tried to diagnose the problem.
I try on the couple other computers; some work fine, some still don'ts. In the property of the page viewer inside of the SharePoint, after I click on the "Test link", it started to work fine until the session expired (on the computer didn't work initially).
I am not sure if there are settings that I need to check on the browser or the app server.
I am setting a session variable when the user selects a value from a dropdownlist (SelectedIndexChanged) in webusercontrol #1.
The page then refreshes and I thought that webusercontrol #2 on the page should be able to access the session variable in its page load.
However the session variable is not available until the user refreshes the page again. I'm assuming that the page is refreshed before the session variable is updated.
I'm trying to convert a game I made (WindowsFormApplication) to an ASP.NET page.
My Problem is that I have a lot "private" variables in my WindowFormApplication and those variables are important for the game. But when after I Declare all my variables (in my Page_Load), they turn null no matter what I do(click a button, refresh the page).
Is there anyway to save my variables between buttons (other than Session, because I'd have to create like 6 more sessions)