I downloaded one sample of asp.net.
And when I ran, I see that the link like that:
http://localhost/(S(1uld2ekua0uuilxlw15zguus))/login.aspx
Can you tell me where we have the string "(S(1uld2ekua0uuilxlw15zguus))"? I checked in the web.config, global.cs but I still don't know where we configure it.
I'm very appriciated for your help.
Thanks.
The string is session id.
What is session id?
Session Id is a unique ID generated by asp.net, to identify the current session.
You are seeing it in a link, because
in web.config file, you'll have this.
<system.web>
<sessionState cookieless="true"></sessionState>
<system.web>
If you don't need that in the url, you can just set cookieless=false
So, it becomes:
<system.web>
<sessionState cookieless="false"></sessionState>
<system.web>
Now, the session id will be stored in a cookie.
Related
I get error below,
Session state has created a session id, but cannot save it because the
response was already flushed by the application.
But I dont'use Session any where. My application works as API and It doesn't use session State.
And in Web.config
<system.web>
<sessionState mode="Off"></sessionState>
</system.web>
Why this error going on every request.
I have read that topic. but He uses Session state. but I won't
What's causing “Session state has created a session id, but cannot save it because the response was already flushed by the application.”
Thanks
Try to remove also the session module on web.config as
<httpModules>
<remove name="Session" />
</httpModules>
After that, there is always the possibility some part of your code, or other code that you include to your application, to try to use session -
I read thousand of doc but nothing work for me.
1) What I want : on my server-side I used the following variable :
(string)Session["myData"]
2) When I changed the subdomain
www.myDomain.com/myPage.aspx
OR
myDomain.com/myPage.aspx
OR
myUser.myDomain.com/myPage.aspx
My problem : I loose the Session data when I go from one of those domain to another.
3) I want to keep the session-state only with cookie and inproc mode :
<sessionState mode="InProc" cookieless="UseCookies" cookieName="myDomain.com" timeout="10000"> </sessionState>
<authentication mode="Windows"/>
I added in the web.config :
<httpCookies domain="myDomain.com" />
or
<httpCookies domain=".myDomain.com" />
or
<httpCookies domain=".myDomain.com" httpOnlyCookies="true" />
But nothing worked.
Thanks for any advices.
Short answer, you can't fulfill all of your criteria.
Possible solutions:
Redirect any request with an incoming domain of "xxx.myDomain.com" to a common "www.myDomain.com". This may involve changing "myUser.myDomain.com" to "www.myDomain.com/default.aspx?&user=myUser". Because it's a redirect, your user will see the address in his bar change, and will therefore gain some knowledge of the sausage-making behind your website (useful to attackers).
NEVER refer to your domain explicitly from within your own site. All URIs should be relative to the root of your web structure. This should allow you to avoid changing domains and thus losing your session state.
Use SQLServer to manage session state: http://support.microsoft.com/kb/2527105. This will require changing your session handling from InProc with cookies to SQLServer, as well as some other config changes.
Using ASP.NET 2.0, with forms authentication.
Just for a test, I configured the roles cookie in web.config like this :
<roleManager enabled="true" cacheRolesInCookie="true" cookieName=".ASPXROLES" cookieTimeout="2"></roleManager>
I wanted to see what would happen when the cached role cookie expired.
Using Fiddler, after 2 minutes had elapsed, I could see that the raw value of the role cookie had changed.
I was expecting that on expiry, that ASP.NET would simply re-read the roles information from the database, and repopulate the cookie with the same value. So my question is, why would the raw value of the cookie change after expiry ? The cookie value is not human-readable (base 64 encoded and/or encrypted ?), so I can't tell if the information in it is the same, although the application still seems to work fine.
EDIT :
It looks like each time the roles are encrypted and cached in the cookie, it gets a different raw value.
e.g. if you run the following code :
RolePrincipal rp = (RolePrincipal) User;
string str = rp.ToEncryptedTicket();
Label1.Text = str;
You get a different value each time.
So the behavior seems normal.
Well the aspxroles cookie only pertains to role queries on the user. Unless you're doing things with the roles that would cause it to function differently (web.config auth?) then you're not going to see anything by expiring the cookie.
Can you share your web.config and basic pages that you're using to test this?
Have you tried that particular configuration to see what changes after the expiration?
<location path="img/logo.png">
<system.web>
<authorization>
<deny users="?"/>
<allow roles="CanSeeLogo"/>
</authorization>
</system.web>
</location>
Based on the question edit:
In my web.config under <configuration><system.web> I have this key:
<machineKey decryption="AES" decryptionKey="{64bits random hex}" validation="SHA1" validationKey="{128 bits random hex}"/>
I'm curious if you set that "manually" if you'll have a constantly changing encrypted string. Also, this is set by default in your C:\Windows\Microsoft.Net\Framework\etc folders, but you can redefine it (obviously) in your web.config to override it per application. This also allows you to share the same cookie cross-app within your domain.
Link to generate random hex strings
https://www.grc.com/passwords.htm
concat the first result from two page refreshes for the second one. Removing the web.config key later doesn't impact your app negatively (of course it wouldn't)
I have set up a small SQL Server database for users to login and also create accounts. There is a problem with the connection string though. Whenever I use the connection string below in the web.config file I get a server error page and cannot view the website. However when I take out this connection string I am able to view the website albeit the database doesn't work. Any ideas would be greatly appreciated.
<configuration>
<appSettings/>
<connectionStrings>
<addname="ConnectionString" connectionString="Server=.\SQLEXPRESS;Database=medicale_Members;User ID=user_admin;Password=medicalmembers;"/>
<connectionStrings/>
<system.web>
Unsure if it's a typo in your question, but you need to ensure your connection string element looks like:
<add name
rather than
<addname
Ensure you close your element with
</connectionStrings>
Change it to:
</connectionStrings>
Also as another person mentioned. Change the add to:
<add name ... />
I am using a Response.Redirect in global.asax.cs.
When the page loads the RawUrl property contains an encoded directory of some kind.
"/(F(D7zFAWNl_SpT-cuyRXksIZnvwBB_bYfBl3ens83McZjPg9zLBvcjvik6FkwBNhnjeK-faeUt6PUYOZSsYXKdg4hi4IDPTDO5diQf693NLpw1))/Integration/Workflow.aspx"
Where does this horrible directory come from?
It's breaking a bunch of user controls on the target page which use the RawUrl to get path information.
Why would Response.Redirect invent this horrible path and add it?
Is there any way around this?
Thanks
Craig
"(F(D7zFAWNl_SpT-cuyRXksIZnvwBB_bYfBl3ens83McZjPg9zLBvcjvik6FkwBNhnjeK-faeUt6PUYOZSsYXKdg4hi4IDPTDO5diQf693NLpw1))" is your session id or auth. id stored in your URL and not in a cookie. You can change this in your web.config file
It is the setting that is taken from the web.config as in the following location;
<authentication mode="Forms">
<forms loginUrl="~/en/Access/Login" defaultUrl="~" cookieless="UseUri" timeout="2880" />
</authentication>
If you set cookieless="UseUri", your session details will be appended to your URL instead of storing in a cookie.
Set cookieless="UseCookies" or remove the cookieless attribute to use cookie instead of URL for session details