I have a webforms asp.net page that displays search results. I would like to store the search results in session until the user performs a new search. User can search on the website even if unauthenticated. I have two web servers behind the F5 load balancer. The load balancer maintains sticky session irrespective of web app authentication.
So my question is, am I doing anything wrong in this process. should I not be storing search results in session if the user is not logged in. Is there anything wrong with this approach.
Related
I have a website in production server, asp.net webforms using Asp.Net Identity system.
Sometimes, when users tries to login, it redirects then back to login page after successful authentication thereby denying them access to user dashboard and other secured pages.
The temporary solution to this is for me to Recycle Application Pools in the hosting server (via plesk). But it appears again after some time. Sometimes before 24hrs or more.
The issue most often occurs when multiple users are getting logged in at a range of time... From my observation.
I don't know the main cause of the issue and I'm seeking a permanent fix to it. What could be the issue? How can I resolve this?
Useful hint:
After authentication at the login page, I usually create a response cookie which holds other value which I use to keep track of the user. If the cookie expires, I redirect the user back to login. I usually check for existence of this cookie on the master page for each page load. So I don't know if this could be a possible cause. If it is, whats the best practice to employ?
I've tried checking the cookies being set if it's the possible challenge, but no success.
I am working on Asp.Net MVC 5 Razor application. I am using my own database for authentication and keeping data. Now I have a requirement that user with same credentials cannot log in to different devices.
I mean user cannot be logged in from mobile and computer same time. He has to log-out at least from one device before logging in to other device.
I have done research, but in vain because most of them are for Web Forms application and are using membership table.
Any help?
He has to logout atleast from one device before logging in to other device.
Don't do that. When someone clears their browser cache, they lose all relation to their session, so they're not logged in anymore and thus cannot log out. When their IP changes (if you bind a session to an IP), they can't log out either.
Just do this: upon logging in, invalidate all previous sessions for that user.
How to implement this depends entirely on how your custom authentication works, so I can't comment on that.
In my ASP.NET project, I am using Forms authentication. My main.master using LoginStatus control and web.config is set up for "Forms" authentication mode.
Before I log in, the control shows the text as "Login." After I log in, the control shows the text as "Logout." This is expected. However, after clicking around on a few links within the site, the control suddenly starts showing "Login" although I am still logged in. The session is still alive as some of the pages I visit dumps some session information.
Would appreciate if something can point me in the right direction. Regards.
If you are trying to redirect after setting a Session variable using
Response.Redirect("YourPage.aspx");
this may be causing the session token to gets lost, try using the overloaded version of Redirect:Response.Redirect("~/YourPage.aspx", false);
Another problem also may be miss configuration of application pool. If the application pool is configured as a web farm or a web garden (by setting the
maximum number of worker processes to more than one) and if you're
not using the session service or SQL sessions, incoming requests will
unpredictably go to one of the worker processes, and if it's not the
one the session was created on, it will get lost.
The solutions to this is either not to use a web garden if you don't need the
performance boost, or use one of the out of process session
providers.
For more information you can check the link of the original article below: http://weblogs.asp.net/bleroy/Don_2700_t-redirect-after-setting-a-Session-variable-_2800_or-do-it-right_2900_
I have one asp.net web application, but two different domains point to this web app. For instance: www.one.com and www.two.com both point to the same web app.
I have an issue where I need certain pages to be on a specific domain (due to some security requirements from our online payment provider - a third party website). So let's say page1.aspx needs to be called on www.two.com
The process is as follows:
A user logs into www.one.com
The authentication cookie is saved to the browser
The user then navigates to page1.aspx and, if on the wrong domain, gets redirected to the correct domain. (this redirection happens on page1.aspx in the page_load event)
Then asp.net redirects the user to the login screen, because the authentication cookie is not sent to www.two.com.
How can I track the user and keep him/her logged in between the two domains?
Can I end some users session in ASP.NET Webform application, if I have user's the SessionId? I would do this as a web service call.
The line:-
HttpContext.Current.Sesssion.Abandon();
will end the users session. You would need to do this by injecting the correct ASP.NET session cookie in the request if you are not calling this from the client that is already using the session.
If you wish to terminate a user's session then you can call a page-method via ajax that calls Session.abandon() and upon completion of the call redirect the user to login page.
You have potentially three options.
If you are using a SQL Server database to house your session state, you can easily navigate through that and delete the row specific tot hat user. Thus clearing their session.
Add code to your base page to check a file or database to see if that users session should be cleared.
Since you know the users session id, you may be able to visit the site yourself and then hack your ASP.Net Session cookie to have your session id be the same. Then you'd have to visit a page that calls the Sesssion.Abandon(); call. Though I am not sure if security limitations on the .NET side would allow this.