I am working on an ASP.NET website, and trying to track active Sessions.
I write to a log file whenever a session is created or ended via the Session_OnStart and Session_OnEnd events.
What I am noticing, is that when a user navigates to the webpage, it creates a Sessions with a Session Id for that user, like I expect, but when the user selects to log off, and gets redirected to the homepage, the Session_OnEnd is fired, but immediately after that, the session Session_OnStart is fired with the same SessionID.
Why is this?
Since the previous session ends, its ID is no longer valid (it does not matter if an end-user is logged in or not). As described in this article:
A new session automatically starts whenever the server receives a request that does not contain a valid SessionID cookie.
So, a new session starts for this user as soon as any his/her request is received after session expiration.
This is what Microsoft article says.
A browser that does not support cookies does not return the SessionID
cookie, the server creates a new session each time the user requests a
page. Thus, for each request, the server processes the Session_OnStart
script and redirects the user to the starting page.
Related
This is a general question regarding web session management.
What is the best practice approach to managing session timeout?
Assume a system where a user logs in, a session is created on the server, and a token identifier is sent back to the client (via httpOnly cookie).
If the user attempts some access-based check where the session is validated, presumably it makes sense to update an expiry time on the session in the DB. Does this also mean that when this happens, we should update the expiry time on the session token cookie to match?
This seems like the most obvious solution to me, but constantly rewriting the cookie seems like a lot of overhead.
Any insight into best-practice approaches is greatly appreciated. Thanks!
How to manage session timeout to keep user logged-in, prevent he/she from accidental logout?
To keep user logged-in, it is not necessary to constantly rewrite the cookie. All you need to do is making the session token cookie's expires as Session, then as long as browser is open (client keeps using your site), the session token cookie is valid. Server does not need to know the session expires time (as there is no pre-defined session expires time any more), not mention store it in DB. After user close the browser, the session token cookie is cleared, and session is terminated (invalidated).
Normally, there will be a "session timeout" setting in server, such as session-timeout in Struts2, which kills the session if client doesn’t make any request after some time.
How to make session "validate" even if user closes the browser? That is, how to implement the "remember me for 1 week" feature?
To implement this feature, a new token cookie is used (e.g. RememberMeToken). When user login successfully (possibly enable the "Remember me" checkbox on UI), server will generate a unique random token and store it in DB (together with its expires time for security reason), make it belong to user account. This RememberMeToken cookie's expires time is pretty long (1 week for example), and will be sent back to browser together with login response.
When user close the browser and re-visit the site later (or the user is inactive for long time and the session is killed in server side), server checks session token cookie and find it's missing/invalid. At this point, RememberMeToken will be checked and compared with token stored in DB, if there is a match, server will make auto-login operation for corresponding user, and return generated session token cookie to browser. This all happens in backend, client user won't feel anything.
After 1 week since user enable the "Remember me" checkbox on UI and login, the RememberMeToken cookie is expired, and user need to login again if he/she opens browser and visit the site.
Can anyone tell me how can i start the session timeout after click of Login Button.
In my case the moment i run the application and go to Login page the session timeout is getting started but in my case i need to start the session timeout once click of Login Button in LogOn Screen.
and one more thing related to above issue the moment session expires and it redirects me to Login Screen(that is fine) but it makes me to enter Login Credentials twice and once i enter the credentials second time then it takes me to further pages.
Awaiting for your response. Thanks.
For your information session timeout will reset automatically after every event performed by the user, so you should not be worried about that, when user click on login button it will reset the session timeout.
You don't need to worry about the Session timeout. Session always initiates at your application's startup but the Session timeout resets on any postback or any request to the server.
Session would appear to be the wrong thing for what you are trying to achieve. Either a custom timer object embedded in the session would work, or forms auth tickets which would start when you logged in.
Simon
I have an asp.net login page, which when initialized sets some session variables. When the user clicks login, an AJAX request is made which validates the user and sets additional session variables and returns a result to the client. The client is then redirected based on the login result. In the redirected page, I can access the session variables set when the login page was initialized (i.e. before the login) but none are present for those set during the login validation (part of an ajax call).
is this expected behaviour? Why would an ajax call generate a new session and thus cause the data to be lost?
Thanks
Is the location for your ajax call in the same application space as the rest of the application?? If I remember right you can't share session information between applications. That may be what's going on.
Normally the browser sends the sends the session id along with ajax requests. If you use Firebug or something similar you can view the contents of the ajax request and check if the session id is sent along.
The session id is stored in a cookie, which (depending on options) can only be used for the same domain/host name. This could be a reason why it is not sent.
Depending on your code, I guess that if no session id was sent a new one is created.
The session id is stored in a cookie, which is returned in the header of the response. As you are doing an AJAX call, the cookie is just part of the response. If you want to use the same session for another request, you have to get that cookie and send it along in the header of the request.
I am creating a content management system but there is one problem. What I want to do in my website is that when a user opens the website a new sessionid is created for that user, and when the user closes the website, the sessionid is cleared. How can I can do it?
There isn't a way to detect when a user closes your site or navigates away from your site. After a given period of inactivity (default 20 min), the user's session object will expire and be automatically cleared. I suggest checking out the MSDN article on Session, which will go over your options for tweaking your application's Session.
If on the other hand you're looking to perform custom logic when a user's session begins or expires (due to inactivity), you can add a Global.asax file to your application and use the Session_Start and Session_End methods for that.
That is basically the default behaviour of sessions in ASP.NET.
When a user closes the browser, the non-persistent cookie maintaining the Session ID will be dropped. This wouldn't actually expire the session, but since no reference to it will exist anymore, it will expire automatically within the default 20 minutes. Users revisiting your site after closing the browser window would have to use a new session. (Source)
An easy solution which works independently of Asp.net is to put timestamps on your session data and delete expired entries periodically.
I have a ASP.Net application in my login page I call
FormsAuthentication.SignOut
Session.Abandon()
Session.Clear()
however the Appscan is taking the ASPXAUTH cookie value then after logout is able to re-inject the cookie value to gain access to protected pages.
Microsoft has acknowledged a problem but only offers advice not a fix - http://support.microsoft.com/kb/900111
Can someone provide examples how to fix this issue
One option is to have a UserSession table and insert a record into this table when the user logs in. When you logout either delete the entry or mark it invalid. On the secure pages, verify that a UserSession exists for the logged in user and redirect to a login page if it does not.
set a session value on login, clear it on log out and check it on each access to a secure page. The session value is not sent to the client and as such the client/attacker can not manipulate it.
walkthrough without session value cleared on exit :
user visits login page - generates viewstate
man-in-the-middle-hacker collects viewstate
user submits login form - generates auth cookies
man-in-the-middle-hacker collects auth cookies
user logs out - server clears users cookies
man-in-the-middle-hacker continues to use previous credentials completely unhindered
game over
walkthrough wit session value cleared on exit :
user visits login page - generates viewstate
man-in-the-middle-hacker collects viewstate
user submits login form - generates auth cookies
man-in-the-middle-hacker collects auth cookies
user logs out - server clears users cookies and sets its internal session flag value to null
man-in-the-middle-hacker continues to use previous credentials but because the session he is working with now has the value null server redirects to login page.
win!