winform security: strange error, where as I expected a redirect


A

Abubakar

Hi,

I have a statement :
Session["username"].ToString();
somewhere in code and of course it gets the username from the session that I
stored earlier. Now I have security configured in the web.config, as :

<authentication mode="Forms">
<forms loginUrl="login.aspx" protection="All">
<credentials passwordFormat="Clear">
<user name ="jack" password="jack"/>
<user name="alan" password="alan"/>

</credentials>
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>

when we dont have session, the security code takes care of redirecting the
users to the login page in case they try to access any page without
authentication. But sometimes its happening that in the statament:
Session["username"].ToString();
I get a "object reference not set to instance of an object", which i
completely understand that it couldnt find Session ["username"] and so the
ToString() failed. But my question is if the session no more contains
"username" (it did few minutes back) it means the session got destroyed
right? So that means that asp.net security should not even let this page
execute its code and redirect to the log in page right?
So whats happening, why the execution if no session and the security in
place?

Thanks,

...ab
 
Ad

Advertisements

B

bruce barker

..net authentication does not use session, so the state of session is
independent of authentication. in you case authentication uses a cookie
(a different cookie then session uses).

if you use inproc sessions, the a recycle can happen that clears session
but has no impact on authenication. also session and authenication
cookies can have different timeouts.

-- bruce (sqlwork.com)
 
Ad

Advertisements

A

Abubakar

So can I sort of bind them together so that one expires the other?

bruce barker said:
.net authentication does not use session, so the state of session is
independent of authentication. in you case authentication uses a cookie (a
different cookie then session uses).

if you use inproc sessions, the a recycle can happen that clears session
but has no impact on authenication. also session and authenication cookies
can have different timeouts.

-- bruce (sqlwork.com)
Hi,

I have a statement :
Session["username"].ToString();
somewhere in code and of course it gets the username from the session
that I stored earlier. Now I have security configured in the web.config,
as :

<authentication mode="Forms">
<forms loginUrl="login.aspx" protection="All">
<credentials passwordFormat="Clear">
<user name ="jack" password="jack"/>
<user name="alan" password="alan"/>

</credentials>
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>

when we dont have session, the security code takes care of redirecting
the users to the login page in case they try to access any page without
authentication. But sometimes its happening that in the statament:
Session["username"].ToString();
I get a "object reference not set to instance of an object", which i
completely understand that it couldnt find Session ["username"] and so
the ToString() failed. But my question is if the session no more contains
"username" (it did few minutes back) it means the session got destroyed
right? So that means that asp.net security should not even let this page
execute its code and redirect to the log in page right?
So whats happening, why the execution if no session and the security in
place?

Thanks,

..ab
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top