shared session-state over subdomain - asp.net

I read thousand of doc but nothing work for me.
1) What I want : on my server-side I used the following variable :
(string)Session["myData"]
2) When I changed the subdomain
www.myDomain.com/myPage.aspx
OR
myDomain.com/myPage.aspx
OR
myUser.myDomain.com/myPage.aspx
My problem : I loose the Session data when I go from one of those domain to another.
3) I want to keep the session-state only with cookie and inproc mode :
<sessionState mode="InProc" cookieless="UseCookies" cookieName="myDomain.com" timeout="10000"> </sessionState>
<authentication mode="Windows"/>
I added in the web.config :
<httpCookies domain="myDomain.com" />
or
<httpCookies domain=".myDomain.com" />
or
<httpCookies domain=".myDomain.com" httpOnlyCookies="true" />
But nothing worked.
Thanks for any advices.

Short answer, you can't fulfill all of your criteria.
Possible solutions:
Redirect any request with an incoming domain of "xxx.myDomain.com" to a common "www.myDomain.com". This may involve changing "myUser.myDomain.com" to "www.myDomain.com/default.aspx?&user=myUser". Because it's a redirect, your user will see the address in his bar change, and will therefore gain some knowledge of the sausage-making behind your website (useful to attackers).
NEVER refer to your domain explicitly from within your own site. All URIs should be relative to the root of your web structure. This should allow you to avoid changing domains and thus losing your session state.
Use SQLServer to manage session state: http://support.microsoft.com/kb/2527105. This will require changing your session handling from InProc with cookies to SQLServer, as well as some other config changes.

Related

In a multi web server farm, how does session state work?

CASE 1: StateServer
<system.web>
<sessionState mode="StateServer" stateConnectionString="tcpip=127.0.0.1:42626" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="20" />
...
</system.web>
CASE 2: SQL Server
<sessionState mode="SQLServer" stateConnectionString="tcpip=127.0.0.1:42626" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="20" />
Question:
1. In case 1 and 2 appropriate location of sql or state server have to be configured in web.config for each of the web server in farm.
Can we have some servers configured as state and some as sql?
Can we have some cookieless and some as withcookie
Suppose if we use only <sessionState cookieless="true" />, then by default which of the modes is used? Can this be done in a multiserver farm, or is it necessary to specify the IP?
1.) Can we have some servers configured as state and some as sql?
No, you should not. Suppose when a user makes a request, then one of the server from your Web Farm will store the session in a StateServer. now in case the same user makes another request ( by clicking some links etc...), then image what will happen if your load balancer send this request to the 2nd Web server ? There will be NO session for the same user as you configured SqlServer mode for the same and the session for the user was stored on a state server on First request.
2.) Can we have some cookieless and some as withcookie ?
Again NO, for a very similar understanding as pointed above. One of the server will use cookies to track the session and the other one Cookieless ( hence URI ) to track the same session and thus, if the request gets forwarded to different servers, NO session will be detected.
3.) Suppose if we use only <sessionState cookieless="true" />, then by default which of the modes is used? Can this be done in a multiserver farm, or is it necessary to specify the IP?
Understand that this setting: cookieless="true|false", is just used to TRACK the session for a Particular user between the Client side and server side.
The Actual session DATA is there stored on SqlServer/State Server, which is defined in your mode settings as:
<sessionState mode="StateServer|SqlServer" ... />
if you don't specify any mode setting, default value of InProc is used.
Additional Note:
The Cookie or the URI have a SessionID associated with them. SessionID is a unique string, used to TRACK individual visitor between visits to website.
As a result of cookieless="true", SessionID will be embedded in all page URLs. The drawback is that you'll end up with ugly URLs, which are not so good for SEO (search engine optimization) and visitor definitely will not remember it. Here is an example URL of website which uses ASP.NET cookieless sessions:
http://samplewebsite.com/(45f8c4zyybphaw2mt3dfgnjk4j)/Home.aspx
Bolded part represents session id, which is used to recognize a visitor.
Your question is a bit vague. If you're hosting one app across multiple servers I would recommend sticking to one method. What if one user first connects to a server with one mode, and the next request is handled by another one? The session state would not be accessible/known to the other server.
As to your questions, the documentation is really quite clear.
cookieless does not affect mode. If you don't specify mode, the default is InProc. If cookieless is true, ASP will use the query string.

Session would not retain values and always return null

I have a website, its completely over HTTPS. Even if someone tries to access over HTTP he will be redirected to HTTPS. I am using forms authentication. Recently I changed a setting to make the site more secure and after that Session is not retaining values and is always returning null. The settings are,
<httpCookies httpOnlyCookies="true" requireSSL="true"/>
<sessionState cookieless="false"/>
I have no idea on how to fix this issue. How do I fix this issue? Also, is my site vulnerable if I do not use this setting? consider that everything else is secure.
You question is too general with out many clues, so I can give you some points to move on.
[1] set also the domain on the cookies, with out the www., so the cookie can be read and set even if by mistake the www is missing.
<httpCookies domain="yourdomain.com" httpOnlyCookies="true" requireSSL="true"/>
[2] you also need to setup the <forms... with similar parameters (and what ever else you have set)
<forms name=".klidi" path="/" requireSSL="true" cookieless="UseCookies"
domain="yourdomain.com" enableCrossAppRedirects="false"
slidingExpiration="true" />
[3] you also need to setup the <roleManager with similar parameters.
<roleManager enabled="true" cacheRolesInCookie="false" cookieProtection="All" cookieSlidingExpiration="true"
cookieTimeout="20" domain="yourdomain.com" cookieRequireSSL="true">
and last the most important set this line on your code before you try to set or use any cookie to see if by mistake you did not use secure connection https.
Debug.Assert(HttpContext.Current.Request.IsSecureConnection, "With out https, cookie will not work");
By setting the last line, on your computer when you make your site you can see and diagnose if the problem is coming from non secure connection, because from the moment you set the requireSSL to true, any simple connection will not hold any cookie.
Also try to clear your cookies in the case that the cookie exist as non secure and you have any conflict, and or try other browsers.
You can also read: Can some hacker steal the cookie from a user and login with that name on a web site?

Sessions and auth in asp.net

While deveoping a site (using Forms authentication and InProc sessionstate) a frequently run into a scenario where I lose the variables stored in Session (such as Session["myVar"]), but my auth-session remains valid.
This results in some wierd behavior on my site.
Why is this happening and what can I do to prevent diffrent lifecycles for my auth and my session variables?
In Asp.Net a Session and "Being logged in" are not the same thing.
Both are (usually) controlled by cookies, but the cookies are separate.
To control how long a Session is kept alive, please see answer by Jonas T.
To control how long a user remains logged in, you can use the timeOut on the <forms ... /> element:
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="120" slidingExpiration="true"/>
</authentication>
...
</system.web>
To get rid of your problem you should make sure that the session timeout is at least as long as the forms authentication timeout.
If you are allowing persisted cookies in forms authentication ("Remember me"), then there are no gurantees. In that case you just have to set the session timeout to "long enough" according to some criteria/specification.
Edit: Also check the settings on your application pool (under IIS) where the site is deployed. And specifically check what the "Idle Time-out" is. If this is set low (default value is 20 minutes I think), then IIS will shut down the application pool if no request have come in during that time. That (of course) terminates whatever in-proc sessions existed.
Forms Authentication stores its ticket in Cookie at client side or URL(if cookie is disabled).
Session variables are stored at server side with expired time. If you want your variable to be more persistent use cookie.
You can extend your session time out in web config. This is for 20 minutes.
<configuration>
<system.web>
<sessionState timeout="20"></sessionState>
</system.web>
</configuration>
You said that you are working with ASP.NET Form authentication/authorization then I'd suggest you to use Profile instead of Session state.

Session Time Out

We are developing a web application in Asp.net(4.0). In this application we use jquery and javascript and webservices and I frames
Here I am getting the problem with session expire. How can I solve this? I can't understand where the session is expiring.
If I'm understanding the question properly, you can adjust session timeout in your Web.config file, using something like this:
<system.web>
<sessionState mode="[Off|InProc|StateServer|SQLServer|Custom]" timeout="[numberOfMinutes]" />
...
</system.web>
Your use of JQuery, javascript, webservices, and IFrames are not affecting your session expiration issue.
The following page is an excellent resource for learning to use the Session State:
ASP.NET Session State Overview
Go to the section on that page titled Configuring Session State for information pertaining specifically to your question.
Here's your options for Session State configuration, including timeout:
<sessionState mode="SQLServer"
cookieless="true "
regenerateExpiredSessionId="true "
timeout="30"
sqlConnectionString="Data Source=MySqlServer;Integrated Security=SSPI;"
stateNetworkTimeout="30"/>

Session Timeout ASP.Net

I'm trying to increase the timeout on all sessions. The site is hosted with Godaddy, and it is written in Flash (client side of course) and asp.net on the backend. I've added this to my web.config,
<sessionState timeout="720">
</sessionState>
Is that really all that I need to do? I'd prefer to not let sessions expire ever, but I'm sure that the server needs to reclaim that memory at some point...I'm not storing anything in the session, really, just using it to track users' progress through the site, and if a user is logged in or not.
Thanks for any pointers...all the documentation seems deceptively simple, and it kind of makes me nervous...
Yup!
As in; Yes, that's the only thing you need to do...
To get "never ending timeouts" you'd have to create a background HTTP request (which will transmit the session cookie) back to the server every 719 minute though. Though theoretically then you'd also have to have "Out of Process" sessions using e.g. some sort of database or something...
Or you could roll your own session handler, I think APS.NET have support for this through using some sort of adapter pattern or something, but I am not sure. Then you could have a "truly" never ending session...
If you are using Forms Authentication you will also need to set the Forms Authentication Timeout in your web.config
Example:
<authentication mode="Forms">
<forms
name=".ASPXAUTH"
loginUrl="/Home/Default.aspx"
defaultUrl="/Dashboard/Default.aspx"
protection="All"
timeout="30"
slidingExpiration="true"
/>
</authentication>

Resources