State Management :: Secure Query String Or Session Variable
Aug 30, 2010
Example scenario:
User login has a list of associated 'accounts' it has access to... this list of accounts is stored in a database table, say tblAccountAccessControl, something like:
login, accountID
userA, account123
userA, account456
userA, account798
userB, accountABC
userB, accountDEF
etc..
This info is used throughout the web application and determines the 'domain' of information the particular login has access to. For example there are many other tables that have the 'accountID' field and whenever a page pulls data from the table it only pulls data that the currently logged in user should be allowed to see, based on that tblAccountAccessControl data.
The security question:
Do I need to query the database every time I need to get this list of allowed accountID's? I was about to use a plain old query string to pass a particular accountID to another page but quickly caught myself as I realized that would be a major security flaw (the receiving page was going to use that accountID to grab info from the database, and there would be nothing preventing a user from simply typing in a url manually to get data from an accountID they are not supposed to be allowed to view). So I then thought I'll just store the list of accountID's in a session state variable so they will be carried with the user throughout the session.
But then I remembered there are tools out there that allow you to easily intercept and modify asp.net viewstate information and I'm not sure if that would included session state variables, but I'm guessing they would. Is there a way to create a secure query string? If I used session state would that session state information be exposed and modifyable by utilities out there? Am I just stuck having to query the database every time I need this info to assure security? What about encrypting it and then storing in session state variable (just thought of that one)?
View 5 Replies
Similar Messages:
Feb 7, 2011
Is it possible to assign the connection string in session variable and is it the good way to declare in session.
provide the sytax for accessing connection string from session variable
View 7 Replies
Feb 11, 2011
I have this code that loop through table controls how do stick the seleted information into a session variable. Then i have to pass it into another page table control.example code
[Code]....
View 7 Replies
Jan 17, 2011
I would like to know if the way i'm dealing with session variables is the right way, and also how to fix this error i'm getting:
FormatException: Input string was not in a correct format.
View 4 Replies
May 17, 2010
I have a web application which uses a session variable to store the logged in userid. If no user is logged in, of course this variable will be empty and the contents displayed on my website are meant for guests. If there is a user logged in, the user specific controls/access/links will then be a displayed.
I am now having issues with my hosting where on shared application pool, the worker recycle is triggered every 90 minutes, this will clear sessions causing all my users to be logged out. I opted for a dedicated application pool, which got worse because I am only allocated 50MB memory limit and if this is reached, the worker recycle is triggered and I lose my sessions again. I have tried as much as possible optimization techniques, e.g. dispose where possible, close connections, disable viewstate for static controls etc but my memory per instance keeps building up from page to page without any signs of improvement. I don't use loops nor store huge objects like bitmaps etc but my sessions are now gone even faster than 90 minutes in shared application pool before.
I have considered using SQL Session State but there isn't a simple guide on using this with MySQL. I am getting desperate and considering using a public variable, a string as a replacement to store logged in user id instead of in a session variable. I am pretty sure this will solve my issue with sessions being recycled but are there any negative consequences of doing this? One problem I can think of is if the user closes the browser, the system will never know that the user is now logged out and this public variable should be nothing. In this scenario, will the GC eventually clear this abandoned public variable.
View 10 Replies
Dec 3, 2010
I am building a web app that is limited to one database, therefore I cannot use the ASP.NET config tool. As a quick means of getting this app online, I tried to use a simple session variable. The login page verifies the user's credentials, and if they pass, it sets the session variable to a certain value. All other pages check in the page_load event whether or not the session variable is equal to that value. The problem is that once being logged in for a short while and sending and recieving some data, the session variable resets, and I'm returned to the login page to repeat the process. Here's the basic code from my webforms:
[code]....
Is there some setting I need to change in the web.config file to adjust the cookie timeout or is that only for the config tool authentication methods?
View 5 Replies
Sep 14, 2010
I added the following code to global.asax to load up several session variable when a session starts. I'm assuming that when a page goes to use the variable that I should be
1) checking at the page level that the value is valid not 0 when its not expected to be 0, not a zero-length string when its expected to have a length
2) have code at the page level that sets the values if the values have not been set as when the Session timeout, ideally putting the code in a class derived from Page and then deriving all of my pages from the new class so that the code does not have to be repeated in every page
[Code]....
View 7 Replies
Nov 11, 2010
I have some code in my page load event where I just want to fire once when the user opens the Browser. The only issue is if you open a new tab with the same website the session variable does not reset. Is there a way to reset the session variable when you open a new tab or do you have to take the whole web browser down for it to clear the session variable.
In Global Page:
[code]....
View 2 Replies
Aug 5, 2010
I have been spending a better part of a week trying to track down why I am not able to clear all session variables in a web app (vs 2010, vb.net). What I have tracked it down to is that when I remove or abandon sessions that my html pages or codebehind access, it works, but for some reason in any of my class files where I use "Public Shared strConnection as String = HttpContext.Current.Session("strConnection").ToString" to access a session variable, it finds the old one and not the current one. I have to wait for it to time out, go in again, and it will find the new one.
I do not use Linq, and there is only one place in the whole web app that I place the connection string in a variable whcih is when a person logs in. It points them to the correct database. The sqlconnection is set for all of my listviews in Page_Init to make sure that they aren't using any session variable that they create on their own. Interestingly enough that if I use debug to go in each time, exit debug, enter debug again trying to access a different database, it works correct each time. I assume that debug is correctly killing the session variable for the classes for me.
View 4 Replies
Apr 21, 2010
I am new to asp.net Can you please guide me what is session and session variables ? Please I don't need a comparision of asp session and asp.net session because I don't know anything about asp. I have saw many articles on types of session as well. But still I cant understand exectly what is session and what are session variables in asp.net ?
View 9 Replies
Jan 18, 2011
i want to use seession like variable in mshtml.
View 1 Replies
Jun 16, 2010
Each time a session starts, I save
Session("UserName")= xyz$
My question is:
what would be the vb code to get a list of all "UserName" 's
(session alive at this moment) ?
View 7 Replies
Jul 18, 2010
I have two projects ,one is webforms and other is Business logic, i am storing username in Session Variable, i have audit module in businss logic which has event handlers to do auditing on object create / remove. i want to store username in audit trail, i want to save username in some global place which is session bounded so that i can get the username in my audit module.i dont want to refer System.web, or httpcontext in my businesslogic project.pls help how i can acheive this. i found this article but cudnt understand much.
"Now one option if you want to have your DLL pull the stuff from Session is to abstract out session. So you could define an interface like IStorage, that your library will know how to use. Then you can have a SessionStorage or MemoryStorage class and use IoC to inject the appropiate class into your library classes. This gives you the freedom to code it how you wanted it to be coded without tying your code to Session. Oh and one other benefit if done properly can be used to not tie your code to session in the web either.
View 7 Replies
Feb 20, 2010
I am using ASP.NET 2.0I am little bit confuse about using of Session Variable. I have a three page web application. When a user login, after verification of user credentials I get user ID from DB and store this ID in a session variable.Session("USERID") = 56by using this ID I can get 20 different values from database as User Full name, user date of birth, user location, user date of joining, User Commission rate etc. I need some of these values in Page 1, some in page 2 and some values needed in Page 301. After successfully login and getting the User ID, I take all these 20 values from Data Base and store these values in an ArrayList and store this ArrayList in a seesion and whenever I need to use any value I take these values from ArrayList which is save in Session variable.
View 6 Replies
Dec 24, 2010
I m facing some problem. i m not passing Dynamic string through query string..
I m using this code
string abc = "CPCB_" + TextBox1.Text + "_" + TextBox2.Text;
Response.Write("<script>window.open('xml.aspx?Flag=3&date='+abc,target='new');</script>");
View 2 Replies
Apr 21, 2010
I have 2 arrays declared like this :
[Code]....
and i wish to put both in one session variable and then retrieve it to get one array like:
{"intItemID","strCategory","strType"}
View 3 Replies
Apr 23, 2010
I'm looking store an ArrayList into a session variable, but am having a few problems. Can you spot anything wrong?
public partial class _Default : System.Web.UI.Page { ArrayList score = new ArrayList(); protected void twist2(object sender, EventArgs e) { int a = 11; int c = RandomNumber(a); score.Add(c); score = (ArrayList)Session["scoreData"]; Result.Text = (c).ToString(); String Result_id = Result.Text; int total = 0; //Session["scoreData"] = score; for (int i = 0; i < score.Count; ++i) { total += (int)score[i]; } Sum.Text = (total).ToString(); String Sum_id = Sum.Text; }
View 3 Replies
Apr 20, 2010
I am building a simple search interface for one of our existing systems. I am using windows authentication. What I would like to do is grab the username of the logged in user via httpcontext.current.user into a session variable on page load and use it in various places on my page. My problem is that when i run my code in debug mode from visual studio it works fine. But when i try to run my code from the browser using localhost it does not work.
View 4 Replies
Apr 13, 2010
I'm building a site (it's amazing how much you can do and still not know what you're doing).I have my visitor login from a login.aspx page and, when authenticated are redirected to a Portal page. On that Portal page at pageload I set a Session variable "UserName" using the User.Identity.Name like this:
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
If User.Identity.Name <> "" And User.Identity.IsAuthenticated = True Then
If Page.IsPostBack = False Then
Session("UserName") = User.Identity.Name
End If
[code]...
View 4 Replies
Oct 28, 2010
I am storing Datatable in Session variable in my project. Is it good practise to do so? The datatable has 20 fields and can run into 1000+ records. Will it hamper my application performance?
View 11 Replies
Mar 27, 2010
How to access session variable in the class?
View 5 Replies
Jul 23, 2010
IDE: MS Visual Studio 2008 / SQL Server 2005 Express / SQL Server Management Studio Express 2005
Skills: Beginner
Well im trying to make a custom login page(im not using ASP.net Login Control), in Admin.aspx page
UserName and Pasword are entered in textboxes , then Code-Behind file checks the UserName and Pasword against DataBase(it stores the UserName and Pasword) if both are correct Session["IsAuthenticated"] = "true" and then user is redirected to AdminArea.aspx
AdminArea.aspx checks if ( Session["IsAuthenticated"].ToString() == "false" ) then redirect to Error page..
but i get NullReferenceException on AdminArea.aspx because Session["IsAuthenticated"] is null , i dont know why ?
I even tried PreviousPage.Session["IsAuthneticated"] but still got the same error..
I debugged,and found out Admin.aspx saves value in Session["IsAuthenticated"] succesfully but AdminArea.aspx looses the Session["IsAuthenticated"]..so it gets null
My Question is how to retain value in Session["IsAuthenticated"] when page is changed (I want to retrieve value in next page from Session)?
View 11 Replies
May 5, 2010
I have an application containing many aspx-scripts.
How can I refresh the sessionvariables before timeout on the server independent of which script is loaded in the browser? (to prevent timeout when the browser is not used so the sessionvariables is refreshed)
When I used Coldfusion, I run the application in a frame and updated the session-variables by using a hidden-frame, but this techniqes dont work in aspx.
View 5 Replies
Jan 19, 2011
I cannot get a formview populated using a session variable value from a previous page.
<asp:FormView ID="FormView1" runat="server" DataKeyNames="RegId"
DataSourceID="SqlDataSource1" DefaultMode="Edit"
>
<EditItemTemplate>
[Code]....
View 1 Replies
Jul 14, 2010
I am writing a web application that takes in session variables from the user and when the user comes back to the page the form elements are automatically filled with the users entery. So I tried using the page_load event to check to see if the session object was equal to null. But then when I rerun the application the form elements are filled in with the previous entery. Does this mean that if a user logs into the system and has a session withing the lifetime of a previous session that the form elements will be filled in with the previous data?
View 7 Replies