I have a strange problem with my web application. I want to know when I store a value in a session variable like
Session["UserName"] = UserNameTextBox.Text
Will there be a Unique ID associated with this particular Session Variable assignment?
Thanks in anticipation
It will be assigned a unique ID for that user. When a user first visits your site, they will be a assigned a unique "Session ID", this is usually a cookie stored on their web browser, but if you configure it, you can also set the session ID in the URL if they have cookies disabled.
This unique session ID refers to the user's "Session" on the server side. When you use code like you posted, data is added (or updated if it already exists) to the session for that user, and stored while the session is still active so that you can retrieve it later. You can read this variable and write it as much as you want, and it will always be specific to that user.
It is worth noting that Session variables expire. Generally IIS/Web.config sets this limit to 20 minutes. If the user doesn't do anything on your site for 20 minutes (or a time you specify), then to save server resources, that user's session is erased. If you need to keep session active for as long as a user has a page open (say, if the user is filling out a form and it might take longer than 20 minutes), you will need to look into something like AJAX keep-alive requests, which are simple AJAX calls that just tell the server to keep the session alive, and not to delete it after 20 minutes.
Whatever you store in the session will be available only to the current user. Each user of your site gets a different session id and this id is sent with a cookie so that the server can identify the user. As noted by #Brad Christie at the comments section if cookies are disabled you could configure the session to use hidden fields or send the id as part of the url.
Related
I was revising the concept of Session Objects in JSP & ASP.Net.
I was confused, 'when an actual Session Object is created?'
Until recently I thought it was created when a user logs into his account, But now I read in the books that its implicitly created when the user visits any page on your site.
So when is it actually created? And are JSP sessions different from Website User Account sessions?
If the latter is correct, Is a second new Session created when a user actually logs into his account, and the previous session destroyed?
eg: A shopping site may allow a user to select many items & 'Add to My Cart'. What happens to this data after he logs in. Is a new session created internally after destroying the initial one?
If this seems confusing, then you can just specify how Session is typically implemented in real-world systems (as I'm a student)? When is the session typically started? What data is stored in it? What is the typical timeout you set and why?
My research: JSP sessions are abstract concepts and User account sessions are implementation specific. Both are different
A session is typically implemented by
generating a unique token,
creating a Session object to hold session data and store it in a map, indexed by the unique token,
sending a session cookie containing this token to the browser.
Each time a request comes in from this browser, it contains the cookie, and the container can thus retrieved the appropriate session from its internal map of sessions.
So yes, a session can exist before a user is authenticated, or even without authentication at all. And when a user is authenticated, he keeps the same session. The only difference is that you typically add the user ID in the session, in order to associate the user with the session.
You could thus, for example, let aninymous users shopping and add items to their cart in the session, and only ask them to authenticate once they need to pay (to retrieve their stored account). Or you could let them add items to their cart, and never authenticate them at all.
I've configured SQL Server to store session state (from here).
All I want to do is that when the user has logged into my application via browser A, I see that logged session when I visit my app from the browser B.
Right now that scenario doesn't work, I must log in one more time.
When browser B is opened (assuming it's a different browser altogether or a new instance of the same browser) a new session is created; therefore, what you see is expected behavior.
Also, I assume you mention this because you store in session some sort of key that indicates that the user has logged in successfully, correct?
If you want this behavior, you'd need to send some sort of authentication cookie with a long expiration date, you'd then read the cookie on the login page and consider the user as successfully authenticated, but keep in mind that this is a potential security risk.
i have a Question on session in asp.net, I am making an asp.Net application and i am using session for storing user_id and password. And i learnt that session is the particular time for which an user can interact with the application. I also learnt that i can use in precess, out process like state server and sql server for storing session. And when first time user hits the server then a uniqeId or token is stored on the user side in cookies form or if cookies are not enabled then munched URL is used for further communication with the server so i am confuse on pint that in my application i am taking userName in one session and password in one session and one more session for storing some value so i want to know that for each session i am using in application a unique id (token) is generated or one single token is generated corresponding to each user for that application even we are using any No. of session in that.
i want to ask something like this
session["userNme"]=userName;
session["password"]=password;
so i want to know when a user login then its user id and password is saved in session and on each page both user id and password is checked if session is expire then sent to login page, so i want to know when user login does two tokens are generated one for userId and one for password is it true
Your confusion comes from mixing up sessions and session variables.
What you are using is session variables, not sessions. There is only one session object for each user, and that object can contain several session variables.
As there is only one session object per user, there is only one session id per user.
The session objects are stored on the server (or on a state server) and the session id connects one user with one session object.
The session object has an Items collection that contains the session variables, and it's the variables in this collection that you are accessing when you put brackets after the session object.
So, your code is a shortcut for this:
Session.Items["userNme"] = userName;
Session.Items["password"] = password;
I wonder how gmail/Google keeps a user logged in even across sessions. And how (e.g. cookies) and what (e.g. time) do they use to decide to re-prompt the user for the login?
The short answer is that cookies do not have to expire when you close down the broweser or the machine they are on. Depending on constraints configured in the browser, if the server sets an expiry date in the future, the browser will continue to present the cookie until that expiry time.
C.
Well cookies are stored in your local machine, you can see those in totals -content settings -cookies.You can clear the cookies as well.So your information is stored there.More over about the sessions if they have been implemented on the websites...They could be destroyed by two methods ,one is by giving the time for session to expire the another way is when you forcefully want to expire the session then session abandon method is used.You must have seen sometimes if you don't scroll through a page for some time, then its written there your session has been expired. Sessions are executed on the server side and there values can be stored on the client side in the cookies as well.
Hope it would help you to understand William
The Setup:
Account controller with the typical logon / logoff stuff that comes baked in from the template. Not much modification here on the logon page. Using a custom membership provider (SQL), but I don't think that is impacting what I am trying to do here.
The Requirements:
The client wants to handle licensing by limiting concurrent users and not by total users. So, after referencing this post here, I set out to make this work for what I need to do. And that is to track maximum and current users for each organization that has signed up for our application. No problem, just have an application("max") and application ("current") which are both hashtables with the key being the organization id and the value being current or max users for the organization. On Session_Start, I would increment the current users, check if it exceeds max and either a) redirect to an error page or b) let them go on with what they need to do. On Session_End, I would decrement the count.
The Problem:
When using formsService.signIn, what is actually stored in session? I cannot seem to gather any information about my session in the session_start except for the session ID. So, I cannot increment the correct number for user tracking. And I cannot add a variable to session as session_start will have already fired before I get the opportunity.
The notion that session is somehow connected with authentication is a myth. They are entirely independent of each other. Session can even be shared between multiple users if they happen to share their session key; that's why you never put security-sensitive info in session. Session can also expire while you're logged in. Likewise, your session is still active after logout unless you explicitly abandon it.
Session is more like a user-specific cache.
So you need to accept this fact and adapt to it. Look and see if the current user is authenticated during session start. You'll need to increment during logon as well, since the session will have already started. Etc.