This info is used throughout the web application and determines the 'domain' of information the particular login has access to. For example there are many other tables that have the 'accountID' field and whenever a page pulls data from the table it only pulls data that the currently logged in user should be allowed to see, based on that tblAccountAccessControl data.
The security question:
Do I need to query the database every time I need to get this list of allowed accountID's? I was about to use a plain old query string to pass a particular accountID to another page but quickly caught myself as I realized that would be a major security flaw (the receiving page was going to use that accountID to grab info from the database, and there would be nothing preventing a user from simply typing in a url manually to get data from an accountID they are not supposed to be allowed to view). So I then thought I'll just store the list of accountID's in a session state variable so they will be carried with the user throughout the session.
But then I remembered there are tools out there that allow you to easily intercept and modify asp.net viewstate information and I'm not sure if that would included session state variables, but I'm guessing they would. Is there a way to create a secure query string? If I used session state would that session state information be exposed and modifyable by utilities out there? Am I just stuck having to query the database every time I need this info to assure security? What about encrypting it and then storing in session state variable (just thought of that one)?
I have a web application which uses a session variable to store the logged in userid. If no user is logged in, of course this variable will be empty and the contents displayed on my website are meant for guests. If there is a user logged in, the user specific controls/access/links will then be a displayed.
I am now having issues with my hosting where on shared application pool, the worker recycle is triggered every 90 minutes, this will clear sessions causing all my users to be logged out. I opted for a dedicated application pool, which got worse because I am only allocated 50MB memory limit and if this is reached, the worker recycle is triggered and I lose my sessions again. I have tried as much as possible optimization techniques, e.g. dispose where possible, close connections, disable viewstate for static controls etc but my memory per instance keeps building up from page to page without any signs of improvement. I don't use loops nor store huge objects like bitmaps etc but my sessions are now gone even faster than 90 minutes in shared application pool before.
I have considered using SQL Session State but there isn't a simple guide on using this with MySQL. I am getting desperate and considering using a public variable, a string as a replacement to store logged in user id instead of in a session variable. I am pretty sure this will solve my issue with sessions being recycled but are there any negative consequences of doing this? One problem I can think of is if the user closes the browser, the system will never know that the user is now logged out and this public variable should be nothing. In this scenario, will the GC eventually clear this abandoned public variable.
I am building a web app that is limited to one database, therefore I cannot use the ASP.NET config tool. As a quick means of getting this app online, I tried to use a simple session variable. The login page verifies the user's credentials, and if they pass, it sets the session variable to a certain value. All other pages check in the page_load event whether or not the session variable is equal to that value. The problem is that once being logged in for a short while and sending and recieving some data, the session variable resets, and I'm returned to the login page to repeat the process. Here's the basic code from my webforms:
Is there some setting I need to change in the web.config file to adjust the cookie timeout or is that only for the config tool authentication methods?
I added the following code to global.asax to load up several session variable when a session starts. I'm assuming that when a page goes to use the variable that I should be
1) checking at the page level that the value is valid not 0 when its not expected to be 0, not a zero-length string when its expected to have a length
2) have code at the page level that sets the values if the values have not been set as when the Session timeout, ideally putting the code in a class derived from Page and then deriving all of my pages from the new class so that the code does not have to be repeated in every page
I have some code in my page load event where I just want to fire once when the user opens the Browser. The only issue is if you open a new tab with the same website the session variable does not reset. Is there a way to reset the session variable when you open a new tab or do you have to take the whole web browser down for it to clear the session variable.
I have been spending a better part of a week trying to track down why I am not able to clear all session variables in a web app (vs 2010, vb.net). What I have tracked it down to is that when I remove or abandon sessions that my html pages or codebehind access, it works, but for some reason in any of my class files where I use "Public Shared strConnection as String = HttpContext.Current.Session("strConnection").ToString" to access a session variable, it finds the old one and not the current one. I have to wait for it to time out, go in again, and it will find the new one.
I do not use Linq, and there is only one place in the whole web app that I place the connection string in a variable whcih is when a person logs in. It points them to the correct database. The sqlconnection is set for all of my listviews in Page_Init to make sure that they aren't using any session variable that they create on their own. Interestingly enough that if I use debug to go in each time, exit debug, enter debug again trying to access a different database, it works correct each time. I assume that debug is correctly killing the session variable for the classes for me.
I am new to asp.net Can you please guide me what is session and session variables ? Please I don't need a comparision of asp session and asp.net session because I don't know anything about asp. I have saw many articles on types of session as well. But still I cant understand exectly what is session and what are session variables in asp.net ?
I have two projects ,one is webforms and other is Business logic, i am storing username in Session Variable, i have audit module in businss logic which has event handlers to do auditing on object create / remove. i want to store username in audit trail, i want to save username in some global place which is session bounded so that i can get the username in my audit module.i dont want to refer System.web, or httpcontext in my businesslogic project.pls help how i can acheive this. i found this article but cudnt understand much.
"Now one option if you want to have your DLL pull the stuff from Session is to abstract out session. So you could define an interface like IStorage, that your library will know how to use. Then you can have a SessionStorage or MemoryStorage class and use IoC to inject the appropiate class into your library classes. This gives you the freedom to code it how you wanted it to be coded without tying your code to Session. Oh and one other benefit if done properly can be used to not tie your code to session in the web either.
I am using ASP.NET 2.0I am little bit confuse about using of Session Variable. I have a three page web application. When a user login, after verification of user credentials I get user ID from DB and store this ID in a session variable.Session("USERID") = 56by using this ID I can get 20 different values from database as User Full name, user date of birth, user location, user date of joining, User Commission rate etc. I need some of these values in Page 1, some in page 2 and some values needed in Page 301. After successfully login and getting the User ID, I take all these 20 values from Data Base and store these values in an ArrayList and store this ArrayList in a seesion and whenever I need to use any value I take these values from ArrayList which is save in Session variable.
I am building a simple search interface for one of our existing systems. I am using windows authentication. What I would like to do is grab the username of the logged in user via httpcontext.current.user into a session variable on page load and use it in various places on my page. My problem is that when i run my code in debug mode from visual studio it works fine. But when i try to run my code from the browser using localhost it does not work.
I'm building a site (it's amazing how much you can do and still not know what you're doing).I have my visitor login from a login.aspx page and, when authenticated are redirected to a Portal page. On that Portal page at pageload I set a Session variable "UserName" using the User.Identity.Name like this:
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load If User.Identity.Name <> "" And User.Identity.IsAuthenticated = True Then If Page.IsPostBack = False Then Session("UserName") = User.Identity.Name End If [code]...
IDE: MS Visual Studio 2008 / SQL Server 2005 Express / SQL Server Management Studio Express 2005
Well im trying to make a custom login page(im not using ASP.net Login Control), in Admin.aspx page
UserName and Pasword are entered in textboxes , then Code-Behind file checks the UserName and Pasword against DataBase(it stores the UserName and Pasword) if both are correct Session["IsAuthenticated"] = "true" and then user is redirected to AdminArea.aspx
AdminArea.aspx checks if ( Session["IsAuthenticated"].ToString() == "false" ) then redirect to Error page..
but i get NullReferenceException on AdminArea.aspx because Session["IsAuthenticated"] is null , i dont know why ?
I even tried PreviousPage.Session["IsAuthneticated"] but still got the same error..
I debugged,and found out Admin.aspx saves value in Session["IsAuthenticated"] succesfully but AdminArea.aspx looses the Session["IsAuthenticated"]..so it gets null
My Question is how to retain value in Session["IsAuthenticated"] when page is changed (I want to retrieve value in next page from Session)?
I have an application containing many aspx-scripts.
How can I refresh the sessionvariables before timeout on the server independent of which script is loaded in the browser? (to prevent timeout when the browser is not used so the sessionvariables is refreshed)
When I used Coldfusion, I run the application in a frame and updated the session-variables by using a hidden-frame, but this techniqes dont work in aspx.
I am writing a web application that takes in session variables from the user and when the user comes back to the page the form elements are automatically filled with the users entery. So I tried using the page_load event to check to see if the session object was equal to null. But then when I rerun the application the form elements are filled in with the previous entery. Does this mean that if a user logs into the system and has a session withing the lifetime of a previous session that the form elements will be filled in with the previous data?