Strange Session Restart

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

I am using form authentication and InProc cookieless session. The
strange thing is that when an authenticated user try to navigate to any
page that is in subfolder of the application root, the session is
restarted and new session id is generated. Thus the user would never be
able to access those pages because each page's InitializeComponent()
checks if (Session.Keys.Count == 0). If yes, then server transfer the
request to login.aspx page again.
Does anyone know why the session is restarted? Thanks. The following
are snippets of the web.config and login.aspx:

Web.config
========
<system.web>
<compilation defaultLanguage="c#" debug="true" />
<customErrors mode="Off" defaultRedirect="/accessDenied.aspx"/>
<trace enabled="false" requestLimit="10" pageOutput="false"
traceMode="SortByTime" localOnly="true" />
<sessionState mode="InProc" cookieless="true" timeout="20" />

<authentication mode="Forms">
<forms
name="my_Authorization"
loginUrl="Login.aspx"
protection="All"
path="/"
requireSSL="false"
slidingExpiration="false">
<credentials passwordFormat = "SHA1"/>
</forms>
</authentication>

<authorization>
<deny users="?"/>
</authorization>

</system.web>

<!-- page that does not require login -->
<location path="main.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>

<!-- page that does not require login -->
<location path="_Net/forms/StatusChange.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>

Logoin.aspx
=========
private void btnLogin_Click(object sender, System.EventArgs e)
{
if (Page.IsValid)
{
string strAccountName = Server.HtmlEncode(txtAccount.Text);
string strPassword = Server.HtmlEncode(txtPassword.Text);

oUserCredential = new User();
if(oUserCredential.UserCredential(strAccountName, strPassword))
{
Session["Account"] = oUserCredential.Account;
Session["UserID"] = oUserCredential.UserId;
Session["UserOrganization"] = oUserCredential.Organization;
Session["FirstName"] = oUserCredential.FirstName;
Session["LastName"] = oUserCredential.LastName;
Session["UserEmail"] = oUserCredential.Email;
Session["UserRole"] = oUserCredential.Role;
Session["SrmRole"] = oUserCredential.SrmRole;

// Return to the originally requested URL.

System.Web.Security.FormsAuthentication.RedirectFromLoginPage(strAccount
Name,PersistCookie.Checked);

}
else
Msg.Text = "Invalid Credentials: Please try again. <br/>";
}



*** Sent via Developersdex http://www.developersdex.com ***
.

Relevant Pages

  • Re: session manager vs Form authentication in the Global.asax.cs f
    ... I try to request pages from web server, the Session only need to be added ... >> form authentication. ...
    (microsoft.public.dotnet.security)
  • Strange Session Restart
    ... I am using form authentication and InProc cookieless session. ... string strAccountName = Server.HtmlEncode; ... string strPassword = Server.HtmlEncode; ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: problem with expired session
    ... But I am using form authentication! ... Is there any way to check if the session ... > Typically to avoid the session timeout issue and other session issues you ... >> I have some data driven pages with a datagrid set to allow paging. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: Form Validation/SessionID changes
    ... these behavious won't occur with a Form authentication. ... you please post the code for the login procedure? ... change the Session object's property any where, for example, mode or ... Luke ...
    (microsoft.public.dotnet.framework.aspnet.security)