Re: ASP.Net [2.0] - SessionID



Hi Clinton

Each to their own. There might be a solution built in but not to everyone's taste. Have you tried using the built-in profiles system to perform queries on thousands of users without retrieving every user? Its not fun. ;)

clintonG wrote:
What a waste of time. ASP.NET 2.0 manages logins using Membership, Roles, and Profiles. Spend more time with the documentation Rob.

<%= Clinton Gallagher
NET csgallagher AT metromilwaukee.com
URL http://www.metromilwaukee.com/clintongallagher/


"Rob Meade" <ten.bewdoowsgnikNO-SPAM@xxxxxxxxxx> wrote in message news:dPn9g.68619$wl.30982@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi all,

I've just put some code together (cobbled is a phrase I like to use) - to handle a secure login to a web based application.

It's not exactly rocket science, a session is created, its ID and user ID are written to the database, each page that requires authentication checks to see if there is a current identity (ie a session already) and if so then tries to match that to the one in the database - if everythings ok - great - more on - if not - redirect to the login page.

Now - here's the thing...

I was expecting the Session.SessionID to be unique, not only when a new window is opened, but if the current session is killed off (using Session.Clear / Session.Abandon) - however - it doesn't appear to be - therefore its not entirely impossible to get logged back in when the details match etc..

For example - I log in...my Session.SessionID in browser 1 is : k2xmyl3fwinxrh45hyp30qbk

I open a second browser and login and my Session.SessionID in browser 2 is: hqbzk4555ivl2ez0nlophy55

Both of these have been written to my database with my user ID (1), now, when I then hit the database and change the UserID to 2 (ie, causing a no match) I'm prompt to log in (because the UserID / Session.SessionID didn't match) - but when I log in again I am given the same Session.SessionID as I had originally?!

Can anyone advise as to whether it's possible to generate a new Session.SessionID - as I said I was expecting this to have happened automatically having used "Abandon" etc when logging out, or when there is no match (I have a little Session killing off function etc)..

Any help would be most appreciated,

Regards

Rob



.