I have a web application developed in asp.net
The application has a "logon" portal where I record users logging on. However, I don't really know when they have exited the web application as they could just shut down the browser, rather than using the "logout" option. As IIS keeps track of session variables for a finite period when users logon, I thought a really useful option would be to use my ASP.net application to interrogate IIS for the value of all session variables, thus telling me who is still active via their session variables.
This could be very useful when it comes to dropping in an upgrade to the website and generally looking at the use of the site.
Thanks
session object. But it only tells me about the current user.
Related
I have a web application built by ASP.NET Web API and the database is Oracle.
When I published the site on the IIS and run it, I recognized the following:
I found many records in the view DBA_AUDIT_SESSION and that's records LOGOFF/LOGON in the order.
After that, I let the site open for a while on a tab in the Chrome Browser without any interaction from me and I found many records LOGOFF, then return to the tab and open a page included it, and I found new records was generated on that view but with Action LOGON.
My question is:
1-That's normal or my application has an issue?
I analyzed that, but maybe I was wrong:
I think when the site run using IIS, all the old sessions will be LOGOFF, and after the application run on the browser, new sessions will be generated, and when the application sleep "without any interaction" the session will be LOGOFF and after return to the application and ask for a page included it, the application will ask a data from the database using an API and that connection will register as LOGON action.
Another question:
I check the main view DBA_AUDIT_TRAIL and I found the Action LOGON come with comment_text explain the Authentication process, and in my case, it comes with:
Authenticated by: DATABASE;
My question is in every LOGON action the port changed, why that?
Establishing a database connection is a pretty expensive operation. Ideally a web application should be using a connection pool, so that you create create pool of database sessions initially and they remain there for the life of the application. The app tier will ask for a connection from the pool as it needs to interact with the database.
So utopia is to see an initial set of LOGON records and then no LOGOFF records until your shut the application down.
I have a web application (.net VB code) that utilizes session variables to store the username (here login name) and the profile (admin/client), authentication is handeled by asp membership. The application then relies on these session variables on the load events. This application has been running fine for a couple of years. However, recently users complain about occasional error messages after logging in and attempting to load a new page that needs one of these variables. It happens most frequently Chrome, but also IE and Firefox.
Users that experience the error need to log out and clear the browsing history, after that it works again. The error is not easy to replicate - I was able to trigger it on my machine 'violently' using the 'back' button a couple of times that eventually tripped it - then I had to clear my browsing history to get the application to work again.
What might cause this to happen?
the session gets set on the load event of the 'login' page with 'Session("Type") = "Admin"' and subsequent pages check for the value of Session "Type"
I understand that I could use a cookie instead, but I chose not to for security reasons. Could this be prevented using a cookie instead? or do I need to use the membership.getuser method to get the username and then look up the values in the database? That does not seem efficient.
Ideas?
FYI, the ASP.NET Session ID is stored in a cookie that travels back and forth with each request/response. The actual session state values for a given session are not stored in cookies ... they are stored on the server only. They could be stored in memory, or in a SQL database, depending on how you've configured ASP.NET Session State.
But Session State can get destroyed for a variety of reasons. IIS might suddenly decide to restart your Application Pool, for example, in which case all your Session State would be gone.
Basically, you need to write your web app to always handle the possibility that Session State may be empty. If it is empty, then you probably need to redirect the user to the login screen to enter his credentials again.
Clearing the browsing history should have no effect, so I can't explain why that would help get past the problem.
In my ASP.NET project, I am using Forms authentication. My main.master using LoginStatus control and web.config is set up for "Forms" authentication mode.
Before I log in, the control shows the text as "Login." After I log in, the control shows the text as "Logout." This is expected. However, after clicking around on a few links within the site, the control suddenly starts showing "Login" although I am still logged in. The session is still alive as some of the pages I visit dumps some session information.
Would appreciate if something can point me in the right direction. Regards.
If you are trying to redirect after setting a Session variable using
Response.Redirect("YourPage.aspx");
this may be causing the session token to gets lost, try using the overloaded version of Redirect:Response.Redirect("~/YourPage.aspx", false);
Another problem also may be miss configuration of application pool. If the application pool is configured as a web farm or a web garden (by setting the
maximum number of worker processes to more than one) and if you're
not using the session service or SQL sessions, incoming requests will
unpredictably go to one of the worker processes, and if it's not the
one the session was created on, it will get lost.
The solutions to this is either not to use a web garden if you don't need the
performance boost, or use one of the out of process session
providers.
For more information you can check the link of the original article below: http://weblogs.asp.net/bleroy/Don_2700_t-redirect-after-setting-a-Session-variable-_2800_or-do-it-right_2900_
Greetings,
What do I have to consider when you are coding an ASP .Net website in regards to if the application will run in a environment where there is a load balancer for the IIS?
All user sessions are running by them self with no shared data between sessions. Single connections to MSSQL. Images and files for download will be hosted on one single server.
Windows Server 2008's, C# and .Net 4.0.
The most obvious item is session state. If you are load balancing, multiple requests from the same user may move between servers. The default session provider for ASP.NET (in-proc) doesn't support this (the user would get a new session each time they moved). The easiest solutions are to move to a ASP.NET state server or SQL Server sessions.
FYI: Both of these solutions require that everything that you put into Session be [Serializable]. The in-proc provider doesn't have this requirement, so you may see some runtime errors and need to modify your code when you change providers.
You're going to need to move your session state into the session state service. Avoid keeping objects in session...if you must keep an object in session, make sure it's marked with the Serializable attribute (this is how it is stored, by serialization).
In general, avoid using Sessions. Keep in mind that ASP.Net Session != FormAuthentication. Chances are that your database will be a bottleneck long before the web server, depending on the nature of the application.
I need to log sessions to database on my asp.net website: who and when started and finished the session. I've configured odbc logging on my iis server but unfortunately there is no such information being logged (or I can't see it). How can I do it either on asp.net website (but simply because there are hundreds of pages and I can't modify each one) or my iis logging?
I'd use a good logging library (Enterprise Library or Log4Net), and write logging code in the Session_Start and Session_End event handlers in Global.asax.
Be aware, however, that if you are using SqlServerSessionState, the Session_End event doesn't fire.
Edit: Actually, if you need to log the user name, you might find it more appropriate to log the session start from the Application_AuthenticateRequest, where the identity will have been established. This will not strictly be the start of the session, but the fact is that unless you are using integrated Windows security, the user's identity will not be established when the session is created.