Session data loss during user logged session

Discussion in 'ASP .Net Security' started by peprom, Aug 15, 2007.

  1. peprom

    peprom Guest

    Hello

    I am developing web application, which is a part of IT project. In my web
    app Administrators can add end-users of this project. My web app is at the
    end of development process (it is on beta tests now) and it is my first
    asp.net project.
    I am using asp.net 2.0, SqlServer Enterprise and asp.net ajax framework 1.0
    (to make my site modern)
    I am using forms authentication method in my login page. After Administrator
    succesfully logged in (I am using FormsAuthenticationTicket to save some
    information such as user role , then I am going to encrypt this information
    using FormsAuthentication.Encrypt() method and finally I am going to save it
    in Cookie.Value), he is going to choose one of he is profile - he can got few
    profiles (I am saving this information simple in Session.Add method, and then
    checks state of this values and current User.IsInRole method every Page_Loads
    events). In conclusion - we have encrypted ticket with some values and
    session state of previously choosen profile.
    Yesterday I have unexpected encountered this strange situation. After
    succesfully authorization I have made some operations, then I have pressed
    back button om my page (which calls Response.Redirect(Default.aspx)) method
    and suddendly discovered that I have pretended to another logged in user (my
    page is on tests and probably a few people were working in same time as me).
    I was logged in as another user (I have lost my ticket and session and get
    session and ticket of another user)!!This situation is frigtened for me. I
    prefer program to crash and send some strange error information than
    situation above.
    This situation has never happened to me on local machine and probably can
    happen when 10 or more people are working at the same time.
    For me - this situation shouldn't take place - logged in users should be in
    separate threads for iis server and can't cross each other.
    I don't know what to do. I can limit number of connections to small number
    (I think this is the fastest method) but I don't know how it deals with ajax.
    I would like to avoid situation when logged in users suddendly lost their
    sessions according to connection limits.
    I would like to ask you for some advices, articles or examples - how to
    configure iis for this kind of situation (Sessions etc - I have default
    settings), how to deal with logging process (some patterns and practices -
    this is my first asp.net project).
    I don't know reason of this situation - maybe Session is too large (I am
    collecting in session state data from database to make google like suggests
    for textbox), maybe ajax and the asynchronous calls make this strange
    situation (I am using UpdatePanel control in my page - every control in my
    page are inside UpdatePanel).
    Maybe Ajax Framework (1.0 version) can't deal properly with big number of
    active sessions..
    Thanks in advance
     
    peprom, Aug 15, 2007
    #1
    1. Advertising

  2. On Aug 15, 9:22 am, peprom <> wrote:
    > Hello
    >
    > I am developing web application, which is a part of IT project. In my web
    > app Administrators can add end-users of this project. My web app is at the
    > end of development process (it is on beta tests now) and it is my first
    > asp.net project.
    > I am using asp.net 2.0, SqlServer Enterprise and asp.net ajax framework 1.0
    > (to make my site modern)
    > I am using forms authentication method in my login page. After Administrator
    > succesfully logged in (I am using FormsAuthenticationTicket to save some
    > information such as user role , then I am going to encrypt this information
    > using FormsAuthentication.Encrypt() method and finally I am going to save it
    > in Cookie.Value), he is going to choose one of he is profile - he can got few
    > profiles (I am saving this information simple in Session.Add method, and then
    > checks state of this values and current User.IsInRole method every Page_Loads
    > events). In conclusion - we have encrypted ticket with some values and
    > session state of previously choosen profile.
    > Yesterday I have unexpected encountered this strange situation. After
    > succesfully authorization I have made some operations, then I have pressed
    > back button om my page (which calls Response.Redirect(Default.aspx)) method
    > and suddendly discovered that I have pretended to another logged in user (my
    > page is on tests and probably a few people were working in same time as me).
    > I was logged in as another user (I have lost my ticket and session and get
    > session and ticket of another user)!!


    I think it's a bug somewhere in the code, check again how you
    authenticate the users.

    In general, if you store FormsAuthenticationTicket in a cookies then
    you don't need to use the Session object.
    In global.asax create a new Generic Principal Instance, add the roles
    and assign to current user

    protected void Application_OnAuthenticateRequest(Object src, EventArgs
    e)
    {
    HttpContext currentContext = HttpContext.Current;
    if (HttpContext.Current.User != null)
    {
    if (HttpContext.Current.User.Identity.IsAuthenticated)
    {
    if( HttpContext.Current.User.Identity is FormsIdentity )
    {
    FormsIdentity id = HttpContext.Current.User.Identity as
    FormsIdentity;
    FormsAuthenticationTicket ticket = id.Ticket;
    string userData = ticket.UserData;
    // Roles is a helper class which places the roles of the
    // currently logged on user into a string array
    // accessable via the value property.
    Roles userRoles = new Roles(userData);
    HttpContext.Current.User = new GenericPrincipal(id,
    userRoles.Value);
    }
    }
    }
    }

    More info can be found here
    http://msdn2.microsoft.com/en-us/library/Aa289844(VS.80).aspx

    Hope this helps
     
    Alexey Smirnov, Aug 15, 2007
    #2
    1. Advertising

  3. peprom

    peprom Guest

    Hello

    First of all, thanks for your immediate answer. I have done some tests of my
    app (with visual studio team suite) and made load test. During the test
    (where computer simply was logging in, view some things, logging out etc) I
    have turned on the browser and tried to works. I have collected the above
    error but I have made heave sigh of relief when I discovered, that no ticket
    is getting from another user but some session variables only.
    My end user, after succesfull authorization, choose one thing from
    radiobutton (this value is stored in session) and on page UserName is visible
    (loginname web control).
    When the test lasts, sometimes I collected LoginName of the user who was
    authorizing in load test, but when I made some request, my user name changed
    to correct user name and I was able to work only with privileges of currently
    logged in user.
    But this situation is strange .. My Loginname Control gets Username of
    another user, which is currently performs some operations (automated by the
    load test) ..
    I have changed my session settings to store in sql server..
    It seems that Some values of another Session Collection (of another user)
    are going inside my current Session Collection and temporary (until next
    request) replace it
    Or maybe it is the ajax feature/issue and I should madke page reload.. I
    don't know - this situation appears only when the number of currently logged
    users increase.
    My current session settings are: SqlServerMode, timeout 20, cookieless false
    Maybe I should decrease timeout ? My FormsAuthenticationTicet is set to 20
    minutes and I don't know it is good setting.
    Maybe I should add some code inside OnSessionStart Event inside Global.asax
    file, but what should I add ?
    Maybe I should check some on preInit event of page life cycle ?
    Any advice ?
    Thanks
     
    peprom, Aug 17, 2007
    #3
  4. Hello Sir
    i have just read ur blog its really vry helpful...i am also vry new to .net i made 1 project in asp.net using c#...bt m having 1 problem m using session variables to carry out some values throughout the project bt there is 1 problem coz of session variables timeout page has been expired...please sir give me ur valuable suggestions...thanx... m waiting fr ur response
     
    Navneet khehra, Sep 11, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Billy Horne
    Replies:
    3
    Views:
    464
    Scott Allen
    Jul 16, 2004
  2. keithb
    Replies:
    0
    Views:
    658
    keithb
    Feb 16, 2006
  3. Replies:
    1
    Views:
    974
    =?Utf-8?B?UGV0ZXIgQnJvbWJlcmcgW0MjIE1WUF0=?=
    Apr 12, 2007
  4. Nathan Sokalski
    Replies:
    3
    Views:
    354
    Eliyahu Goldin
    Jul 14, 2008
  5. mark

    Dispalying Welcome User to logged in user

    mark, Oct 6, 2005, in forum: ASP .Net Web Controls
    Replies:
    4
    Views:
    384
Loading...

Share This Page