OK I have a problem im not sure how to handle.
I have an asp.net vb website with MSSQL on the backend. For every page, in the pre-init, it checks to see if the session("UserID") is logged in. If its logged in, it loads, if not, it brings you to the login page.
One of my pages has a textarea that someone could spend 15 minutes writing in, after they are done, they hit save and it is suppossed to upload the data from the textarea to the database, which it does if they are logged in.
Where I am running into problems, is I will be uploading new webpages to the site which kicks all users off the site and forces them to relogin.
I know it would be a security flaw to let them write to the database without loggin in.
Is there a way I can do something different like save that textarea locally to their computer? Or some other way that I am not thinking of?
What you can do is configure the session state to use Sql Server. In your web.config
<configuration>
<sessionstate
mode="sqlserver" .....
This way the session will remain active when you upload new webpages which causes the web application to restart.
Users are getting kicked off because when you deploy new pages, Host process restarts. and as you are using InProc sessions(assumption), sessions stored in memory are lost.
instead of storing sessions in memory you can store them in database. and whenever a user does a postback, check his session validity against database.
You should post or notify your users when you are going to be making site changes, and do it at a time that you don't expect many users to be on your site (like 2am on a Sunday morning). (this may be obvious, maybe not - I'm not trying to sound like a jerk :D )
That being said, you could do ajax posts every few minutes that would allow partial saving of their work so that if you DO boot them all off, they would only have a few minutes of work lost.
You could also set up a secondary service that holds your database transactions until the main database is available to be written to. Essentially have your pages send their information to a server and write it to a temp database - have that system run chron jobs that check to see if your main DB is up, and then send all of its updates when its up again.
When you update the site it essentially kills all of their sessions - I have heard that there is something you can do to preserve sessions across updates like that, but I believe its MVC3 related.
Good Luck.
Related
I have a web application (.net VB code) that utilizes session variables to store the username (here login name) and the profile (admin/client), authentication is handeled by asp membership. The application then relies on these session variables on the load events. This application has been running fine for a couple of years. However, recently users complain about occasional error messages after logging in and attempting to load a new page that needs one of these variables. It happens most frequently Chrome, but also IE and Firefox.
Users that experience the error need to log out and clear the browsing history, after that it works again. The error is not easy to replicate - I was able to trigger it on my machine 'violently' using the 'back' button a couple of times that eventually tripped it - then I had to clear my browsing history to get the application to work again.
What might cause this to happen?
the session gets set on the load event of the 'login' page with 'Session("Type") = "Admin"' and subsequent pages check for the value of Session "Type"
I understand that I could use a cookie instead, but I chose not to for security reasons. Could this be prevented using a cookie instead? or do I need to use the membership.getuser method to get the username and then look up the values in the database? That does not seem efficient.
Ideas?
FYI, the ASP.NET Session ID is stored in a cookie that travels back and forth with each request/response. The actual session state values for a given session are not stored in cookies ... they are stored on the server only. They could be stored in memory, or in a SQL database, depending on how you've configured ASP.NET Session State.
But Session State can get destroyed for a variety of reasons. IIS might suddenly decide to restart your Application Pool, for example, in which case all your Session State would be gone.
Basically, you need to write your web app to always handle the possibility that Session State may be empty. If it is empty, then you probably need to redirect the user to the login screen to enter his credentials again.
Clearing the browsing history should have no effect, so I can't explain why that would help get past the problem.
In my ASP.NET project, I am using Forms authentication. My main.master using LoginStatus control and web.config is set up for "Forms" authentication mode.
Before I log in, the control shows the text as "Login." After I log in, the control shows the text as "Logout." This is expected. However, after clicking around on a few links within the site, the control suddenly starts showing "Login" although I am still logged in. The session is still alive as some of the pages I visit dumps some session information.
Would appreciate if something can point me in the right direction. Regards.
If you are trying to redirect after setting a Session variable using
Response.Redirect("YourPage.aspx");
this may be causing the session token to gets lost, try using the overloaded version of Redirect:Response.Redirect("~/YourPage.aspx", false);
Another problem also may be miss configuration of application pool. If the application pool is configured as a web farm or a web garden (by setting the
maximum number of worker processes to more than one) and if you're
not using the session service or SQL sessions, incoming requests will
unpredictably go to one of the worker processes, and if it's not the
one the session was created on, it will get lost.
The solutions to this is either not to use a web garden if you don't need the
performance boost, or use one of the out of process session
providers.
For more information you can check the link of the original article below: http://weblogs.asp.net/bleroy/Don_2700_t-redirect-after-setting-a-Session-variable-_2800_or-do-it-right_2900_
We have a web application through which customers access information. It has been reported by many customers that they are logged out within 5 minutes of no activity. I believe this should only occur after the default 20 minute idle timeout, and this is the case when accessing the web app from inside our domain.
I also spent a few days troubleshooting an error in which some of the user's session data was lost between post backs about 60% of the time, causing an application error since the next page needed the data. The only resolution was a work-around in which I use an additional mechanism for caching the data between postbacks and pull the data from that cache if the session data is gone.
I have also noted that some websites that I visit which require logon credentials will also kick me out between postbacks. For example, a website for a school I take classes at requires logon credentials to their portal. At home I never have any issue, but if I access it from my work domain I often get random errors indicating that my credentials have been lost (i.e. "Unauthorized access is not permitted" after logging in and browsing to a page).
Combing the web for ideas has led me down a few paths, but most address the IIS worker process and ASP.NET and have not helped me.
Does anyone have any ideas or suggestions about how to resolve this?
this is not because of the programming problem...this is because of your host capacity...as you know session are a type of memory that is create for each user when they access to your website and it's terminated when they finish visiting...so in this case I suppose the number of site visitors has risen up,so by default when the memory become full, it kicks one session out and causes all these problems...I think the best thing to do is calling where you get your host services and ask for a service that cover sites needs
You just store your session value in to cookie so you can access that value when session terminate.. or you can use global file to manage session state..
I have the oddest situation...
On my ASP.NET website when the application pool recycles the user is logged out. This is fine. I know this is suppose to happen. But when the user logs back in and selects any link within the website, they are logged back out immediately. They consistently get logged out. I don't know what causes this and I don't know how to fix it.
The odd part is the work-around. If I log in from a different computer or from the IIS Server itself than the user that is getting logged out can log back in.
Does anyone have any ideas as to what is happening?
Standard Forms Authentication in ASP.NET is cookie-based and should not be affected by the session vanishing. But, you're probably relying on something in the session to determine whether or not the user is logged in. If you're using in-process session storage (and it sounds like you are), then your application code might act strangely if you get in a state where the Forms Authentication cookie still exists and is valid but the session information is missing. Instead of going to a different computer, try blowing away your cookies and logging in again, and I would presume that your issue is resolved.
One step is to move to out-of-process session storage (such as the ASP.NET State Server, which is simple to use with a few config changes) or to eliminate session usage entirely (by depending on values stored in cookies, though there are security implications there to consider if these values are not encrypted). Then, take a close look at how your application code handles the condition where a login cookie is set but the session data is invalid.
It's a shot in the dark based on the information provided, but hopefully it puts you or someone else on the right track.
I discovered the problem. In the Security settings of the ASP.NET Configuration each user that logs in needed to have one of the roles defined in the "Description" field. This is very odd to me be but it seemed to do the trick. Anyone know why this needs to be done?
I have been asked to work of a very large web application and deploy it. The problem that I'm facing here is that when I deploy the application and more that 1 user logs into the system, the sessions seem to cross over i.e:
Person A logs in and works on the site, all good. When person B logs in, person A will then be logged in as person B as well.
I have been asked to work of a very large web application and deploy it. The problem that I'm facing here is that when I deploy the application and more that 1 user logs into the system, the sessions seem to cross over i.e:
Person A logs in and works on the site, all good. When person B logs in, person A will then be logged in as person B as well.
If anyone has experienced this behaviour before and can steer me in the right direction, that would be first prize, Second prize would be to show me how I can debug this situation so that I can find out where the problem is and fix it.
Some information about the application. From what I've been told and what I've seen within the app is that it started as a .Net 1.1 application and got upgraded to .Net 2 and that's why the log in system was done the way it is. (The application is huge and now complete and that's why I cant rewrite the whole user authentication process, it will just take to long and I don't know what effect it might have)
All the Logged in User information is stored in properties that have been added in the Global.asax.vb file. (could this be the problem?)
Any help here would be greatly appreciated
Sessions on the server doesn't cross over, so the actual reason has to be that there isn't actually two separate users, or that the information isn't actually stored in separate sessions.
Browser sessions
When you open a new browser window from another window in Internet Explorer, they are in the same browser instance, and thus still the same user. There is no way for the server to distinguish between the windows based on the session id, as they share the cookies and send the same id. You have to start a new instance to log in as a separate user.
In Firefox there is ever only one instance. Even if you try to start another instance, it will just open a window in the existing instance. Thus, you can not log in as separate users in separate windows.
Session objects
To store information in the user's session, you actually have to store it in the Session object. If you create properties in the GLobal object in global.asax, they are shared by all users. Even if you are in a method like Session_Start, the user doesn't have a separate instance of the Global object.
We had a similar situation in our code done by a vendor. In our case the probplem was due the use of global static variables assigned from session.
I don't suppose by any chance that when the user's identity is read from the session it's being stored in a static field rather than an instance field in a base class is it? And then being written back to the session from there? I've come across this before.