ASP.Net [2.0] - SessionID

Discussion in 'ASP .Net' started by Rob Meade, May 13, 2006.

  1. Rob Meade

    Rob Meade Guest

    Hi all,

    I've just put some code together (cobbled is a phrase I like to use) - to
    handle a secure login to a web based application.

    It's not exactly rocket science, a session is created, its ID and user ID
    are written to the database, each page that requires authentication checks
    to see if there is a current identity (ie a session already) and if so then
    tries to match that to the one in the database - if everythings ok - great -
    more on - if not - redirect to the login page.

    Now - here's the thing...

    I was expecting the Session.SessionID to be unique, not only when a new
    window is opened, but if the current session is killed off (using
    Session.Clear / Session.Abandon) - however - it doesn't appear to be -
    therefore its not entirely impossible to get logged back in when the details
    match etc..

    For example - I log in...my Session.SessionID in browser 1 is :
    k2xmyl3fwinxrh45hyp30qbk

    I open a second browser and login and my Session.SessionID in browser 2 is:
    hqbzk4555ivl2ez0nlophy55

    Both of these have been written to my database with my user ID (1), now,
    when I then hit the database and change the UserID to 2 (ie, causing a no
    match) I'm prompt to log in (because the UserID / Session.SessionID didn't
    match) - but when I log in again I am given the same Session.SessionID as I
    had originally?!

    Can anyone advise as to whether it's possible to generate a new
    Session.SessionID - as I said I was expecting this to have happened
    automatically having used "Abandon" etc when logging out, or when there is
    no match (I have a little Session killing off function etc)..

    Any help would be most appreciated,

    Regards

    Rob
    Rob Meade, May 13, 2006
    #1
    1. Advertising

  2. Rob Meade

    clintonG Guest

    What a waste of time. ASP.NET 2.0 manages logins using Membership, Roles,
    and Profiles. Spend more time with the documentation Rob.

    <%= Clinton Gallagher
    NET csgallagher AT metromilwaukee.com
    URL http://www.metromilwaukee.com/clintongallagher/


    "Rob Meade" <> wrote in message
    news:dPn9g.68619$...
    > Hi all,
    >
    > I've just put some code together (cobbled is a phrase I like to use) - to
    > handle a secure login to a web based application.
    >
    > It's not exactly rocket science, a session is created, its ID and user ID
    > are written to the database, each page that requires authentication checks
    > to see if there is a current identity (ie a session already) and if so
    > then tries to match that to the one in the database - if everythings ok -
    > great - more on - if not - redirect to the login page.
    >
    > Now - here's the thing...
    >
    > I was expecting the Session.SessionID to be unique, not only when a new
    > window is opened, but if the current session is killed off (using
    > Session.Clear / Session.Abandon) - however - it doesn't appear to be -
    > therefore its not entirely impossible to get logged back in when the
    > details match etc..
    >
    > For example - I log in...my Session.SessionID in browser 1 is :
    > k2xmyl3fwinxrh45hyp30qbk
    >
    > I open a second browser and login and my Session.SessionID in browser 2
    > is: hqbzk4555ivl2ez0nlophy55
    >
    > Both of these have been written to my database with my user ID (1), now,
    > when I then hit the database and change the UserID to 2 (ie, causing a no
    > match) I'm prompt to log in (because the UserID / Session.SessionID didn't
    > match) - but when I log in again I am given the same Session.SessionID as
    > I had originally?!
    >
    > Can anyone advise as to whether it's possible to generate a new
    > Session.SessionID - as I said I was expecting this to have happened
    > automatically having used "Abandon" etc when logging out, or when there is
    > no match (I have a little Session killing off function etc)..
    >
    > Any help would be most appreciated,
    >
    > Regards
    >
    > Rob
    >
    clintonG, May 15, 2006
    #2
    1. Advertising

  3. Rob Meade

    Ray Booysen Guest

    Hi Clinton

    Each to their own. There might be a solution built in but not to
    everyone's taste. Have you tried using the built-in profiles system to
    perform queries on thousands of users without retrieving every user?
    Its not fun. ;)

    clintonG wrote:
    > What a waste of time. ASP.NET 2.0 manages logins using Membership, Roles,
    > and Profiles. Spend more time with the documentation Rob.
    >
    > <%= Clinton Gallagher
    > NET csgallagher AT metromilwaukee.com
    > URL http://www.metromilwaukee.com/clintongallagher/
    >
    >
    > "Rob Meade" <> wrote in message
    > news:dPn9g.68619$...
    >> Hi all,
    >>
    >> I've just put some code together (cobbled is a phrase I like to use) - to
    >> handle a secure login to a web based application.
    >>
    >> It's not exactly rocket science, a session is created, its ID and user ID
    >> are written to the database, each page that requires authentication checks
    >> to see if there is a current identity (ie a session already) and if so
    >> then tries to match that to the one in the database - if everythings ok -
    >> great - more on - if not - redirect to the login page.
    >>
    >> Now - here's the thing...
    >>
    >> I was expecting the Session.SessionID to be unique, not only when a new
    >> window is opened, but if the current session is killed off (using
    >> Session.Clear / Session.Abandon) - however - it doesn't appear to be -
    >> therefore its not entirely impossible to get logged back in when the
    >> details match etc..
    >>
    >> For example - I log in...my Session.SessionID in browser 1 is :
    >> k2xmyl3fwinxrh45hyp30qbk
    >>
    >> I open a second browser and login and my Session.SessionID in browser 2
    >> is: hqbzk4555ivl2ez0nlophy55
    >>
    >> Both of these have been written to my database with my user ID (1), now,
    >> when I then hit the database and change the UserID to 2 (ie, causing a no
    >> match) I'm prompt to log in (because the UserID / Session.SessionID didn't
    >> match) - but when I log in again I am given the same Session.SessionID as
    >> I had originally?!
    >>
    >> Can anyone advise as to whether it's possible to generate a new
    >> Session.SessionID - as I said I was expecting this to have happened
    >> automatically having used "Abandon" etc when logging out, or when there is
    >> no match (I have a little Session killing off function etc)..
    >>
    >> Any help would be most appreciated,
    >>
    >> Regards
    >>
    >> Rob
    >>

    >
    >
    Ray Booysen, May 15, 2006
    #3
  4. Rob Meade

    Brock Allen Guest

    > Each to their own. There might be a solution built in but not to
    > everyone's taste. Have you tried using the built-in profiles system
    > to perform queries on thousands of users without retrieving every
    > user? Its not fun. ;)


    I think your complaint here is the storage format the default profile provider
    uses. You should consider using a different provider (or write your own)
    to store the data the way you'd prefer it. Google for "Table Profile Provider"
    for a sample.

    -Brock
    http://staff.develop.com/ballen
    Brock Allen, May 15, 2006
    #4
  5. Rob Meade

    Ray Booysen Guest

    I realise, ;) I was merely pointing out that a solution to one person
    doesn't mean its a solution to everyone. Calling someone's work a waste
    of time because he/she wanted to manage the login details themselves
    isn't the way to handle that sort of question.

    Brock Allen wrote:
    >> Each to their own. There might be a solution built in but not to
    >> everyone's taste. Have you tried using the built-in profiles system
    >> to perform queries on thousands of users without retrieving every
    >> user? Its not fun. ;)

    >
    > I think your complaint here is the storage format the default profile
    > provider uses. You should consider using a different provider (or write
    > your own) to store the data the way you'd prefer it. Google for "Table
    > Profile Provider" for a sample.
    >
    > -Brock
    > http://staff.develop.com/ballen
    >
    >
    Ray Booysen, May 15, 2006
    #5
  6. Rob Meade

    Rob Meade Guest

    "Ray Booysen" wrote ...

    > Calling someone's work a waste of time because he/she wanted to manage the
    > login details themselves isn't the way to handle that sort of question.


    Thank you.

    For what's it worth - I've not read "the" documentation for .net 2.0,
    neither did I for 1.1 or 1.0 - instead I just refer to parts of it when I
    get stuck, but more often than not find myself asking a question in a group
    like this first because typically there's a really wide audience level for
    these groups, and you'll often get more than one suggestion on how to
    resolve the problem - I find that useful to see other ideas so that I can
    either use one of them, or bits from each or whatever - it helps me learn.

    Being new to .net 2.0 I would even have known about a login/profile
    thingy-ma-jig in it anyway - so unless I stumbled over some review of it I'm
    unlikely to have found it.

    Since posting, I've found that it seems better to use a generated GUID than
    the Session.SessionID - something that would have been helpful to have known
    previously, but I found an article online that mentions that the
    Session.SessionID wasn't unique - that was basically the answer to my
    question.

    On using pre-built functionality - if I always use other people work, code,
    examples etc I'll never really learn how to do those bits of the code
    myself, whilst I appreciate it can save time, this could be wasted in the
    future if it all goes, tits up and I spend 3 weeks trying to figure out
    whats happening. I dont suppose anyone has ever written anything that's one
    hundred percent perfect, with no vulnerabilities etc.

    Thanks to all for the replies, nice to see a conversation spin out of my
    thread if little else :eek:)

    Regards

    Rob
    Rob Meade, May 15, 2006
    #6
  7. Rob Meade

    clintonG Guest

    Rob et. al., another point to be cognizant of is how many of us seem to be
    carrying across our thought processes when "scripting" was the way we
    developed web applications. Now that is not to say the use of the framework
    classes may not do things the same way from time to time but the
    implementations are abstracted away from us leaving the developer to be more
    productive. Less time is wasted on rudimentary building blocks. Time after
    all is of the essence is it not?

    It seems to me there are two types of web development behavior models. There
    is the "think-do-think" and there is the "do-think-do." Rob "confesses" a
    preference for the do-think-do. Don't we all from time to time? Which is
    best is always a contextual issue though ainna?

    As for me, I vacilate from one to the other like anybody else but after all
    is said and done I am left with one simple question. "Do I want to waste my
    time doing things my way, the way I think they should be or could be done or
    do I want to learn from others who have come before me to adopt what have
    come to be called "best practices?"

    And yes, Ray, I have tried using the built-in profiles system to perform
    queries which is why I thank Brock -- again -- for bringing the search term
    "Table Profile Provider" to your attention the same way he did for me just
    last week Ray. The same way I brought the search terms "Membership, Roles,
    and Profiles" to the attention of Rob so he doesn't have to waste his time
    anymore.

    --
    <%= Clinton Gallagher
    NET csgallagher AT metromilwaukee.com
    URL http://www.metromilwaukee.com/clintongallagher/








    "Rob Meade" <> wrote in message
    news:...
    > "Ray Booysen" wrote ...
    >
    >> Calling someone's work a waste of time because he/she wanted to manage
    >> the login details themselves isn't the way to handle that sort of
    >> question.

    >
    > Thank you.
    >
    > For what's it worth - I've not read "the" documentation for .net 2.0,
    > neither did I for 1.1 or 1.0 - instead I just refer to parts of it when I
    > get stuck, but more often than not find myself asking a question in a
    > group like this first because typically there's a really wide audience
    > level for these groups, and you'll often get more than one suggestion on
    > how to resolve the problem - I find that useful to see other ideas so that
    > I can either use one of them, or bits from each or whatever - it helps me
    > learn.
    >
    > Being new to .net 2.0 I would even have known about a login/profile
    > thingy-ma-jig in it anyway - so unless I stumbled over some review of it
    > I'm unlikely to have found it.
    >
    > Since posting, I've found that it seems better to use a generated GUID
    > than the Session.SessionID - something that would have been helpful to
    > have known previously, but I found an article online that mentions that
    > the Session.SessionID wasn't unique - that was basically the answer to my
    > question.
    >
    > On using pre-built functionality - if I always use other people work,
    > code, examples etc I'll never really learn how to do those bits of the
    > code myself, whilst I appreciate it can save time, this could be wasted in
    > the future if it all goes, tits up and I spend 3 weeks trying to figure
    > out whats happening. I dont suppose anyone has ever written anything
    > that's one hundred percent perfect, with no vulnerabilities etc.
    >
    > Thanks to all for the replies, nice to see a conversation spin out of my
    > thread if little else :eek:)
    >
    > Regards
    >
    > Rob
    >
    >
    clintonG, May 17, 2006
    #7
  8. Rob Meade

    Yanis

    Joined:
    Sep 25, 2008
    Messages:
    1
    Hi Rob, hey I have the exact same problem, so how does this GUID works? can you post some eg code please?
    Thanks a lot.
    Yanis, Sep 25, 2008
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. alien2_51

    Re: Debugging -- SessionID and ASP.Net

    alien2_51, Jul 24, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    494
    Rob Teixeira [MVP]
    Jul 24, 2003
  2. CQL
    Replies:
    2
    Views:
    2,149
    Colin Young
    Aug 11, 2003
  3. Ronald
    Replies:
    6
    Views:
    6,930
    Andy Mortimer [MS]
    Feb 23, 2004
  4. =?Utf-8?B?SWJyYWhpbS4=?=

    Recyling of sessionID in ASP.NET 2.0

    =?Utf-8?B?SWJyYWhpbS4=?=, Jun 12, 2006, in forum: ASP .Net
    Replies:
    6
    Views:
    3,406
    =?Utf-8?B?SWJyYWhpbS4=?=
    Jun 13, 2006
  5. =?Utf-8?B?bmt3?=

    Asp.Net 2.0 Wizard control and SessionId

    =?Utf-8?B?bmt3?=, Nov 15, 2006, in forum: ASP .Net
    Replies:
    1
    Views:
    293
    =?Utf-8?B?bmt3?=
    Nov 15, 2006
Loading...

Share This Page