J
js
I am using form authentication and InProc cookieless session. The
strange thing is that when an authenticated user try to navigate to any
page that is in subfolder of the application root, the session is
restarted and new session id is generated. Thus the user would never
be able to access those pages because each page's InitializeComponent()
checks if (Session.Keys.Count == 0). If yes, then server transfer the
request to login.aspx page again.
Does anyone know why the session is restarted? Thanks. The following
are snippets of the web.config and login.aspx:
Web.config
========
<system.web>
<compilation defaultLanguage="c#" debug="true" />
<customErrors mode="Off" defaultRedirect="/accessDenied.aspx"/>
<trace enabled="false" requestLimit="10" pageOutput="false"
traceMode="SortByTime" localOnly="true" />
<sessionState mode="InProc" cookieless="true" timeout="20" />
<authentication mode="Forms">
<forms
name="my_Authorization"
loginUrl="Login.aspx"
protection="All"
path="/"
requireSSL="false"
slidingExpiration="false">
<credentials passwordFormat = "SHA1"/>
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
<!-- page that does not require login -->
<location path="main.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<!-- page that does not require login -->
<location path="_Net/forms/StatusChange.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
Logoin.aspx
=========
private void btnLogin_Click(object sender, System.EventArgs e)
{
if (Page.IsValid)
{
string strAccountName = Server.HtmlEncode(txtAccount.Text);
string strPassword = Server.HtmlEncode(txtPassword.Text);
oUserCredential = new User();
if(oUserCredential.UserCredential(strAccountName, strPassword))
{
Session["Account"] = oUserCredential.Account;
Session["UserID"] = oUserCredential.UserId;
Session["UserOrganization"] = oUserCredential.Organization;
Session["FirstName"] = oUserCredential.FirstName;
Session["LastName"] = oUserCredential.LastName;
Session["UserEmail"] = oUserCredential.Email;
Session["UserRole"] = oUserCredential.Role;
Session["SrmRole"] = oUserCredential.SrmRole;
// Return to the originally requested URL.
System.Web.Security.FormsAuthentication.RedirectFromLoginPage(strAccountName,PersistCookie.Checked);
}
else
Msg.Text = "Invalid Credentials: Please try again. <br/>";
}
strange thing is that when an authenticated user try to navigate to any
page that is in subfolder of the application root, the session is
restarted and new session id is generated. Thus the user would never
be able to access those pages because each page's InitializeComponent()
checks if (Session.Keys.Count == 0). If yes, then server transfer the
request to login.aspx page again.
Does anyone know why the session is restarted? Thanks. The following
are snippets of the web.config and login.aspx:
Web.config
========
<system.web>
<compilation defaultLanguage="c#" debug="true" />
<customErrors mode="Off" defaultRedirect="/accessDenied.aspx"/>
<trace enabled="false" requestLimit="10" pageOutput="false"
traceMode="SortByTime" localOnly="true" />
<sessionState mode="InProc" cookieless="true" timeout="20" />
<authentication mode="Forms">
<forms
name="my_Authorization"
loginUrl="Login.aspx"
protection="All"
path="/"
requireSSL="false"
slidingExpiration="false">
<credentials passwordFormat = "SHA1"/>
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
<!-- page that does not require login -->
<location path="main.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<!-- page that does not require login -->
<location path="_Net/forms/StatusChange.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
Logoin.aspx
=========
private void btnLogin_Click(object sender, System.EventArgs e)
{
if (Page.IsValid)
{
string strAccountName = Server.HtmlEncode(txtAccount.Text);
string strPassword = Server.HtmlEncode(txtPassword.Text);
oUserCredential = new User();
if(oUserCredential.UserCredential(strAccountName, strPassword))
{
Session["Account"] = oUserCredential.Account;
Session["UserID"] = oUserCredential.UserId;
Session["UserOrganization"] = oUserCredential.Organization;
Session["FirstName"] = oUserCredential.FirstName;
Session["LastName"] = oUserCredential.LastName;
Session["UserEmail"] = oUserCredential.Email;
Session["UserRole"] = oUserCredential.Role;
Session["SrmRole"] = oUserCredential.SrmRole;
// Return to the originally requested URL.
System.Web.Security.FormsAuthentication.RedirectFromLoginPage(strAccountName,PersistCookie.Checked);
}
else
Msg.Text = "Invalid Credentials: Please try again. <br/>";
}