Form Validation/SessionID changes

Discussion in 'ASP .Net Security' started by Jeff White, Aug 11, 2004.

  1. Jeff White

    Jeff White Guest

    Hi All,
    I've got an Asp.Net application, I've set the loginurl to "login.aspx"
    and my validation is working fine. However, after I log in and navigate to
    "default.aspx" (or whatever page) my session is being reset.

    I create and set some session variables during my login procedure and these
    are all getting reset. Also, once I try to navigate to any other page
    besides the original page, I am prompted to log in again (This second login
    does NOT reset my session.)

    I was originally under the impression that it would only happen when
    navigating to sub-directories, but this is not the case, I've moved
    everything into the root.

    I have the basics set up in my web.config:
    <authentication mode="Forms">
    <forms loginUrl="login.aspx"/>
    </authentication>
    <authorization>
    <deny users="?"/>
    </authorization>

    Any help would be greatly appreciated!
    Jeff White, Aug 11, 2004
    #1
    1. Advertising

  2. Jeff White

    [MSFT] Guest

    Hi Jeff,

    By default, these behavious won't occur with a Form authentication. Would
    you please post the code for the login procedure? Additionally, did you
    change the Session object's property any where, for example, mode or
    cookieless?

    Luke
    [MSFT], Aug 12, 2004
    #2
    1. Advertising

  3. Jeff White

    Jeff White Guest

    Hi Luke,
    Here is my login procedure (and accompanying code) I have removed some
    of my database code for this forum, if you need to see, please let me know.

    I have all session settings at default, and only set any session variables
    in the code below.


    <sessionState
    mode="InProc"
    stateConnectionString="tcpip=127.0.0.1:42424"
    sqlConnectionString="data
    source=127.0.0.1;Trusted_Connection=yes"
    cookieless="false"
    timeout="20"
    />

    Thanks for your help!

    CODE BEGINS HERE
    ----------------------------------------------------------------------------
    -----------------------------------------------
    Private Sub butLogin_Click(ByVal sender As System.Object, ByVal e As
    System.EventArgs) Handles butLogin.Click
    Me.pnlPassword.Visible = False
    Me.litMessage.Text = "<FONT COLOR='BLUE'>Validating
    Credentials</FONT>"
    Me.litMessage.Visible = True
    If ValidateLogin() Then
    BuildSessionVariables()
    Me.litMessage.Text = "<FONT COLOR='GREEN'>WELCOME!</FONT>"

    FormsAuthentication.SetAuthCookie(UserID.Text, False, "/*")
    FormsAuthentication.RedirectFromLoginPage(UserID.Text, False)
    Else
    Me.pnlPassword.Visible = True
    Me.litMessage.Text = "<FONT COLOR='RED'>Error logging in, invalid
    credentials</FONT>"
    End If
    End Sub


    Private Function ValidateLogin() As Boolean
    Try
    [DATABASE VALIDATION CODE]
    UserRow = sTblValidate.Rows(0)
    myUser = New MySiteUser
    UserRow = sTblValidate.Rows(0)

    If sTblValidate.Rows.Count > 0 Then
    With UserRow
    myUser.UserUID = IIf(.IsNull("user_id"), "",
    ..Item("user_id"))
    [ADDITIONAL PROPERTY SETTINGS]
    End With
    Session.Item("myUser") = myUser
    Return True
    Else
    Return False
    End If

    Catch ex As Exception
    Me.litMessage.Text = "Error: " & ex.Message
    End Try

    End Function


    Private Sub BuildSessionVariables()
    Session.Item("MenuXML") = BuildMenu()
    End Sub

    Private Function BuildMenu() As String
    Dim strTempMenu As String
    Try
    strTempMenu = "<Menu CssFile='" & Session.Item("webaddress") & _
    "/Menu/menu.css' ImagesBaseDir='" &
    Session.Item("webaddress") & "/Menu/images/'>"
    strTempMenu += "<Group>"


    strTempMenu += _
    " <Item Label='Logged in as (" & myUser.Called.ToString & ")
    '>" _
    + " <Group><Item Label='Log out' Href='" &
    Session.Item("webaddress") _
    + "/Identification/logout.aspx'/></Group></Item>" _
    + " <Item Label='Lists'>" _
    + " <Group>" _
    + " <Item Label='My List' Href='" &
    Session.Item("webaddress") _
    + "/mylist.aspx?userid=" &
    myCrypt.EncryptString(myUser.UserUID) & "'/>" _
    + " </Group>" _
    + " </Item>"

    strTempMenu += _
    " <Item Label='Actions'>" _
    + " <Group>" _
    + " <Item Label='Return To Front page' Href='" &
    Session.Item("webaddress") & "'/>" _
    + " <Item Label='Add To My List'/>" _
    + " <Item Label='Suggest A Gift'/>" _
    + " <Item Label='See my shopping list'/>" _
    + " <Item Label='Give Feedback'/>" _
    + " <Item Label='View/Edit My Profile' Href='" &
    Session.Item("webaddress") & "/Identification/Profile.aspx'/>" _
    + " </Group>" _
    + " </Item>"

    strTempMenu += "</Group></Menu>"
    Catch ex As Exception
    strTempMenu = "<Menu><Group><Item Label='" & ex.Message &
    "'/></Group></Menu>"
    Finally
    End Try
    Return strTempMenu
    End Function
    ----------------------------------------------------------------------------
    -----------------------------------------------
    CODE ENDS HERE


    "[MSFT]" <> wrote in message
    news:...
    > Hi Jeff,
    >
    > By default, these behavious won't occur with a Form authentication. Would
    > you please post the code for the login procedure? Additionally, did you
    > change the Session object's property any where, for example, mode or
    > cookieless?
    >
    > Luke
    >
    >
    Jeff White, Aug 12, 2004
    #3
  4. Jeff White

    [MSFT] Guest

    Hi Jeff,

    I have studied the code and all of them seems be fine, except that:

    FormsAuthentication.SetAuthCookie(UserID.Text, False, "/*")

    Normally, we don't need to do this in code. You may remove this line ans
    test again to see if this will help.

    And here is a good sample for form authentication:

    How To Implement Forms-Based Authentication in Your ASP.NET Application by
    Using C# .NET
    http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q301240

    Luke
    [MSFT], Aug 13, 2004
    #4
  5. Jeff White

    Jeff White Guest

    Hi Luke,
    Thanks for your replies, they confirmed that my code was mostly right. I
    did find a bug in my code where I set my "webaddress" session variable. I
    was using a slightly different domain name, which was causing a new session
    to be created. I read a posting earlier about a similar issue and didn't
    realize I had commited the same error.

    Thanks again!
    Jeff
    Jeff White, Aug 13, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Colin Basterfield

    Web form validation vs object validation

    Colin Basterfield, Nov 28, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    423
    Tommy
    Nov 29, 2003
  2. Ronald
    Replies:
    6
    Views:
    6,907
    Andy Mortimer [MS]
    Feb 23, 2004
  3. Steve C. Orr [MVP, MCSD]

    Re: HELP - SessionID changes when using FRAMES

    Steve C. Orr [MVP, MCSD], Sep 1, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    462
    Steve C. Orr [MVP, MCSD]
    Sep 1, 2004
  4. =?Utf-8?B?UmV6YSBTb2xvdWtp?=

    SessionID Changes in production machine....help

    =?Utf-8?B?UmV6YSBTb2xvdWtp?=, May 13, 2005, in forum: ASP .Net
    Replies:
    5
    Views:
    469
    Juan T. Llibre
    May 13, 2005
  5. bnp
    Replies:
    4
    Views:
    301
Loading...

Share This Page