Which one should I use on creating a new session to the user after him has been logged in on the system
req.getSession().setAttribute(“user”, user);
or
req.getSession().invalidate();
req.getSession(true).setAttribute(“user”, user);
EDIT
The first one associates the user with the session given by the server on the first request and the second one creates a brand new one
Related
In my application after login user, show only that users information. For that i created a user profile table and given each user a unique profile id.
My question is how to maintain a unique profile id throughout my application after user login. After successful user id and password creating a cookie ans storing in id in session variable.
Is it good to maintain id in session variable or in cookie.
Session variable. If user login is valid, you can create a Session variable, assign it a value of "member". Create another session, assign it the value of the user's id(using a datareader). Then on the user's profile table, in the Page Load event of the user's profile webform you can check if Session["something"] == "member", and if so you can create an sql connection to the users database, select * from users where user id = session["user_id"](the session variable created previously that contains the user id of the user that managed to log in), and you can display the user data using datareader.
I'm setting up Forms Authentication for the first time.
I am validating the username and password(hashed) against a local SQL database.
All of this is working fine in my logon.aspx file in a ValidateUser() function.
I am also allowing the logon criteria to be persistent so the user does not have to re-enter their credentials when they return to the page.
The problem is, when the previously logged in user returns to my site and the cookie/ticket is used my ValidateUser() function is not called, SO... if I have deactivated the user or changed the user's password the user still gets logged in.
I've considered doing this in Application_AuthorizeRequest or Application_PostAuthorizeRequest in Global.asax, but I would also like to set some session variables at the time I re-verify the credentials against the database and the session is not yet created when these are called for the first time when a user logs in.
Any advise would be greatly appreciated.
For first time when user authorized at that time create session for that user e.g Session["Username"] check session whenever he enters in any page if session is not present redirect him to login page, after that when he log out abandon that session.
So whenever he want to access next time he wants to login again.
I'm trying to avoid two or more login with the same user at a time using FOSUserBundle in Symfony 2.4, I don't know how to access to info related to authenticated users and how to logout if the user who recently logged in are previously authenticated.
What am I missing?
[edit]
Reading your question again i am not sure what you want. The answer i wrote below keeps the latest login alive and logs the older logins off
[/edit]
a user that is logged in has
a) started a session on the web server
b) identified his self by entering a correct username and password combination.
That knowing we know also that a user that is logged-in has a variable in stored in the session (probably user_id).
Now if you want to logout other sessions (with same user_id) if a users logs-in in another session, you do have a problem since sessions are not made to share information with other sessions.
The solution could be to add a column in your database 'users' table that can hold a random hash. Then if a user logs-in you need to save a new hash in the database and also you need to save the hash into the session.
Then secondary you have to compare the session hash with the database hash for every new request. If the two are different and the user is still logged-in than you have to log the user out.
I think you can let this work with following event-listeners (but i never tried to accomplish this):
security.interactive_login
kernel.request
A slightly odd question came through to us. Is there way to programatically cause a single user to be 'logged out' when logged in as another user (e.g. as an administrator).
e.g. An admin on stackoverflow would decide that I should be logged out - click a button and then I would be forced to log in again on my next SO request.
This is for a site using standard forms based authentication running ASP.net.
Because the authenticated sessions depend on the cookie, they don't know about each other.
So you need to track the logged in users may be along with their roles. And perform a check at the beginning of every request.
You start by tracking:
user A - role 'admin' logs in. Create a row in db
user A - role 'manager' logs in, now you mark the row in step 1 as expired, and create a new row for user A - role 'manager'
user A - role 'admin' attempts to perform some action. In the begin request method, you will verify if this session is marked for expiration. If it is simply logout, remove the row in step 1 and redirect to login.
user A clicks logout, remove user A - role 'manager' row
i have a Question on session in asp.net, I am making an asp.Net application and i am using session for storing user_id and password. And i learnt that session is the particular time for which an user can interact with the application. I also learnt that i can use in precess, out process like state server and sql server for storing session. And when first time user hits the server then a uniqeId or token is stored on the user side in cookies form or if cookies are not enabled then munched URL is used for further communication with the server so i am confuse on pint that in my application i am taking userName in one session and password in one session and one more session for storing some value so i want to know that for each session i am using in application a unique id (token) is generated or one single token is generated corresponding to each user for that application even we are using any No. of session in that.
i want to ask something like this
session["userNme"]=userName;
session["password"]=password;
so i want to know when a user login then its user id and password is saved in session and on each page both user id and password is checked if session is expire then sent to login page, so i want to know when user login does two tokens are generated one for userId and one for password is it true
Your confusion comes from mixing up sessions and session variables.
What you are using is session variables, not sessions. There is only one session object for each user, and that object can contain several session variables.
As there is only one session object per user, there is only one session id per user.
The session objects are stored on the server (or on a state server) and the session id connects one user with one session object.
The session object has an Items collection that contains the session variables, and it's the variables in this collection that you are accessing when you put brackets after the session object.
So, your code is a shortcut for this:
Session.Items["userNme"] = userName;
Session.Items["password"] = password;