Am running web application just login and logout process,when i finished login process,within in a second clicked logout process,but in sql server activity monitor still showing previous session.
Again refreshed same page same process repeated , its working perfectly . i was tested for 5 concurrent users same as session not closing .
checked web config , and other connectivity sources but didnt get solution for this , if anyone have experience share solution for this problem .
store userid at the time of login in session. Remove the session in logout click
Session.Abandon();
and in the page load of master page check whether session is null or not
if(Session["uid"]=="")
Response.Redirect("~/Login.aspx");
Related
Working on an internal portal, we needed certain things about a user stored so we created our own WebUser/WebUserStore but I've hit a weird issue and I was hoping someone would have run into this before.
Being ASP it's a lot of code strewn throughout, so I won't bother pasting it all here. But here is the issue:
Any number of users can login to the home screen.
If any user navigates to a page that makes any session call (either
setting or Session.Remove()) then no more users can log in, the login
page just flashes and you're back at the login screen.
Any user that was logged in while the one user trigger the session will still be able to log out and in and out and in, as long as they still have the ASP.NET_SessionId cookie.
If you delete the ASP.NET_SessionId cookie then that user will get stuck on the login screen as well.
Hacky fixes that may help pinpoint the problem (each of these stops the issue):
Recycling the application pool in IIS resets it so everyone can log in again.**
Setting the following (but you get the nasty url):
<sessionState mode="InProc" cookieless="UseUri" />
Add this right before calling the IdentityHelper.SignIn(...).
Session["ANYKEY!"] = false;
Just adding this empty event to the global.asax.cs
void Session_Start(object sender, EventArgs e)
{
}
This is also on a per-browser basis. So on one machine with 3 different browsers you can replicate the issue using only 1 user. Once you trigger a session call in one browser, the other browsers if they weren't logged in (and had the ASP.NET_SessionId cookie) are now locked out.
Stepping through the login process wasn't revealing anything, everything is normal and fires all the way through authenticationManager.SignIn(...) any seems fine but is mystically not actually authenticated and returned to the login screen?
Can anyone think of what's wrong so that as soon as I touch session all users can't login, and only the ones who already have their session cookie can continue logging in and out?
Hi all we are building a portal at work. When the user logs on to the portal he/she can press a button which will re-direct them to a peoplesoft webpage. This works fine however when the user only closes the tab in the peoplesoft webpage and doesn't sign out he/she has an issue re-visiting the peoplesoft page again. For example; user logs on to portal --> clicks button -->( (A)cmd=pslogin logs in if required) redirected to peoplesoft page -->closes tab (doesn't sign out)--> goes to tab with portal --> click button --> peoplesoft page doesn't load blank screen comes up. The blank screen that comes up is the same as the one from before (A) however nothing appears. I think the issue is that when the user closes the tab without logging out the session/cookies on the local machine are never removed. Thank you
Your portal probably uses bypass signon. This enables a guest user to automatically be logged in as a default user. When that person is signed into PeopleSoft cookies get set, one of which is a session timeout cookie. When the person revisits the site without logging out they still have that cookie and PeopleSoft sees they had a now invalid session and sends them to an error or login screen.
Are you linking directly to a tab page or some other component URL?
I am using forms authentication with Asp.Net 4. At the moment when the users click on logout link, I clear the session and call FormsAuthentication.SignOut() and this prevents the users from going back to the site without a logging in again.
Now I want to kill the session when the browser or tab is closed. I tried doing this by handling onbeforeunload event, but I ended up killing the session after clicking any internal links.
Any ideas how I can do this?
You can't, but you can come close to.
The authentication cookies are session only, that means that delete by browser when the browser close. Maybe you do not close all browsers tabs, but if you close them all the authentication cookies are lost.
About closing a tab, you do not know if the user have other tab opens.
A possible solution maybe is a call every 10 seconds back to the server to keep this authentication active or not, and set the authentication to end up after 20 seconds. So if not any signal come back, the user have gone. This can be done using javascript. From the other hand this can not let the user logout after some minutes of inactivity, so you may need a combination of this logic with something else.
The best you can do is when your user explicitly logs out to also call Session.Abandon() to remove that user's session. But like others have said there is no way of knowing if the tab/window just closes without doing a logout in this fashion. The session will just hang around on the server until it expires.
I answered another question that had a problem with session being killed when the user edited the web.config on a live site. They were tracking users still being logged in with Session variables (dangerous). But came up with a solution (untested solution) that could help people here.
FormsAuthentication allows you to maintain a person being active and logged in indefinitely. But if they become inactive for e.g. 20 mins they will be logged out which is nice. But to have them logged out at the time the close their browser is not possible (wait for it...) as setting the timeout value to 0 would cause them to be constantly logged in then out again.
So solution : at the time you log a person in using FormsAuthentication you could also set a standard session variable cookie that will be deleted when they close their browser. This cookie would have non-identifying non-account related information. Just a simple "loggedIn:yes".
Now all your code would need to have on it's masterpage/materlayout is a high level call in the page cycle or constructor of the page cycle (or even a custom attribute) that would check both cookie and the user identity:
if(!HasLoginCookie() || !System.Web.HttpContext.Current.User.Identity.IsAuthenticated)
{
// redirect user to log in page.
}
Basically if the cookie is removed when the browser is closed, you will redirect the user to the log in page.
Hopefully that helps (and works. As I said untested).
Can anyone tell me how can i start the session timeout after click of Login Button.
In my case the moment i run the application and go to Login page the session timeout is getting started but in my case i need to start the session timeout once click of Login Button in LogOn Screen.
and one more thing related to above issue the moment session expires and it redirects me to Login Screen(that is fine) but it makes me to enter Login Credentials twice and once i enter the credentials second time then it takes me to further pages.
Awaiting for your response. Thanks.
For your information session timeout will reset automatically after every event performed by the user, so you should not be worried about that, when user click on login button it will reset the session timeout.
You don't need to worry about the Session timeout. Session always initiates at your application's startup but the Session timeout resets on any postback or any request to the server.
Session would appear to be the wrong thing for what you are trying to achieve. Either a custom timer object embedded in the session would work, or forms auth tickets which would start when you logged in.
Simon
I have an asp.net website using the SQL ASP.net membership system. When users are logged in to the website and are inactive for 20 minutes, they get sent to the login page on the next page request. I would like to show some text on the login page that says "you were logged out due to inactivity" when this happens. Is there a built-in way to do this? Or any other ways I could distinguish why the user has been sent to the login page (for inactivity or some other reason)? I have scoured SO and Google but haven't been able to come up with anything.
The reason we need to do this is because we recently migrated from a previous version of the website that was lax about security and didn't have auto logout, so we're getting lots of feedback from users thinking there's something wrong with the website when they are prompted to login again.
Thanks in advance.
It is better to use javascript for this and be proactive about it, showing the timeout remaining if possible otherwise just alerting the user with a messagebox showing that his session has timed out and then redirecting him to the login page. Have a look here for a simple example.
To redirect him to the login page add the following to the below line as in the example:
alert("Your current Session is over."); window.location = "YourLoginPage.aspx";
For purposes of closure, I'll answer my own question. I couldn't find a clean way of doing what I'd like, so I ended up setting a cookie with the login time after the user logs in. Then on the login form page, I see if the login time in the cookie is greater than 30 minutes old (my auth timeout in asp.net) and display a "logged out due to inactivity" message. Otherwise it doesn't display the message.
Not great, but it seems to work. Satisfies the requirement for the vast majority of our users.