Re: ASP.Net [2.0] - SessionID



Hi Clinton

Each to their own. There might be a solution built in but not to everyone's taste. Have you tried using the built-in profiles system to perform queries on thousands of users without retrieving every user? Its not fun. ;)

clintonG wrote:
What a waste of time. ASP.NET 2.0 manages logins using Membership, Roles, and Profiles. Spend more time with the documentation Rob.

<%= Clinton Gallagher
NET csgallagher AT metromilwaukee.com
URL http://www.metromilwaukee.com/clintongallagher/


"Rob Meade" <ten.bewdoowsgnikNO-SPAM@xxxxxxxxxx> wrote in message news:dPn9g.68619$wl.30982@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi all,

I've just put some code together (cobbled is a phrase I like to use) - to handle a secure login to a web based application.

It's not exactly rocket science, a session is created, its ID and user ID are written to the database, each page that requires authentication checks to see if there is a current identity (ie a session already) and if so then tries to match that to the one in the database - if everythings ok - great - more on - if not - redirect to the login page.

Now - here's the thing...

I was expecting the Session.SessionID to be unique, not only when a new window is opened, but if the current session is killed off (using Session.Clear / Session.Abandon) - however - it doesn't appear to be - therefore its not entirely impossible to get logged back in when the details match etc..

For example - I log in...my Session.SessionID in browser 1 is : k2xmyl3fwinxrh45hyp30qbk

I open a second browser and login and my Session.SessionID in browser 2 is: hqbzk4555ivl2ez0nlophy55

Both of these have been written to my database with my user ID (1), now, when I then hit the database and change the UserID to 2 (ie, causing a no match) I'm prompt to log in (because the UserID / Session.SessionID didn't match) - but when I log in again I am given the same Session.SessionID as I had originally?!

Can anyone advise as to whether it's possible to generate a new Session.SessionID - as I said I was expecting this to have happened automatically having used "Abandon" etc when logging out, or when there is no match (I have a little Session killing off function etc)..

Any help would be most appreciated,

Regards

Rob



.



Relevant Pages

  • Re: Please! Doesnt anyone know a better way to do this?
    ... account, they need to automatically be directed to the page to enter data ... session variable on the Account page. ... I assume here that you're checking a database when the user attempts to ... When a new user attempts to login or clicks to register, ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: PDO: Switch database user without reopening connection
    ... At the bare minimum there will be a login user who only has ... modifications to the database as well (editors get update permission, ... As database connections are expensive to ... a certain visitor in the Session, and use that value to start the right ...
    (comp.lang.php)
  • Re: PDO: Switch database user without reopening connection
    ... At the bare minimum there will be a login user who only has ... the postgres user they are logged in as to one that can make ... modifications to the database as well (editors get update permission, ... a certain visitor in the Session, and use that value to start the right ...
    (comp.lang.php)
  • Re: PDO: Switch database user without reopening connection
    ... At the bare minimum there will be a login user who only has ... modifications to the database as well (editors get update permission, ... open PDO and create a new one, in other words disconnect from the ... a certain visitor in the Session, and use that value to start the right ...
    (comp.lang.php)
  • Re: Retrieving state information from a middle tier
    ... Now this very first call can make session root entry into an xml file like ... We have a middle tier which is made up ... > The current implementation only allows for one database to be served up. ... > longer use the middle tier as the source of the connection properties. ...
    (microsoft.public.dotnet.framework.aspnet)