i have a Question on session in asp.net, I am making an asp.Net application and i am using session for storing user_id and password. And i learnt that session is the particular time for which an user can interact with the application. I also learnt that i can use in precess, out process like state server and sql server for storing session. And when first time user hits the server then a uniqeId or token is stored on the user side in cookies form or if cookies are not enabled then munched URL is used for further communication with the server so i am confuse on pint that in my application i am taking userName in one session and password in one session and one more session for storing some value so i want to know that for each session i am using in application a unique id (token) is generated or one single token is generated corresponding to each user for that application even we are using any No. of session in that.
i want to ask something like this
session["userNme"]=userName;
session["password"]=password;
so i want to know when a user login then its user id and password is saved in session and on each page both user id and password is checked if session is expire then sent to login page, so i want to know when user login does two tokens are generated one for userId and one for password is it true
Your confusion comes from mixing up sessions and session variables.
What you are using is session variables, not sessions. There is only one session object for each user, and that object can contain several session variables.
As there is only one session object per user, there is only one session id per user.
The session objects are stored on the server (or on a state server) and the session id connects one user with one session object.
The session object has an Items collection that contains the session variables, and it's the variables in this collection that you are accessing when you put brackets after the session object.
So, your code is a shortcut for this:
Session.Items["userNme"] = userName;
Session.Items["password"] = password;
Related
As an Admin, I am able to reset password for all users. May I know how can I logout the particular users "all" sessions across all devices/PC when I reset his password?
Example:
1) User1 logged in to PC1, PC2 and PC3.
2) Admin reset/change password for User1.
3) System logout session in PC1, PC2 and PC3.
How can it be done in ASP.NET?
Thanks.
It is possible , Facebook,G mail are done that , But it is not simple
Use a flag in the database that checks users on Session_Start that invalidates their session if that flag is set. May not necessarily use a boolean, you can use a DateTime value and invalidate all sessions that started prior to that time. This could be done by checking a value stored in a cookie upon login.
check the below stackoverflow discussions i think it will help you
Check
I know this is an old issue, but I believe there is an easier method. This method does not provide the functionality of listing all of the active sessions. But it is a very simple and straightforward method of invalidating other sessions when changing password.
Add a column called SecurityStamp to your user table. If a user logs in and this column is not populated, populate with a random guid. Or you could pre-populate the entire table.
When the user logs in, add the value found in the table to a session variable. On every page load, check that their session variable matches what is in the database.
When a user changes their password, update the value in the database with a new random guid. Additionally update the session variable for the user who changed the password. You could also add a button that invalidates other sessions without having to change the password.
If the user was logged in from a different device, the session variable associated with that other device login will not have been updated. When they try to access any page, you will have checked that their session variable does not match the database and force them to logout.
I was revising the concept of Session Objects in JSP & ASP.Net.
I was confused, 'when an actual Session Object is created?'
Until recently I thought it was created when a user logs into his account, But now I read in the books that its implicitly created when the user visits any page on your site.
So when is it actually created? And are JSP sessions different from Website User Account sessions?
If the latter is correct, Is a second new Session created when a user actually logs into his account, and the previous session destroyed?
eg: A shopping site may allow a user to select many items & 'Add to My Cart'. What happens to this data after he logs in. Is a new session created internally after destroying the initial one?
If this seems confusing, then you can just specify how Session is typically implemented in real-world systems (as I'm a student)? When is the session typically started? What data is stored in it? What is the typical timeout you set and why?
My research: JSP sessions are abstract concepts and User account sessions are implementation specific. Both are different
A session is typically implemented by
generating a unique token,
creating a Session object to hold session data and store it in a map, indexed by the unique token,
sending a session cookie containing this token to the browser.
Each time a request comes in from this browser, it contains the cookie, and the container can thus retrieved the appropriate session from its internal map of sessions.
So yes, a session can exist before a user is authenticated, or even without authentication at all. And when a user is authenticated, he keeps the same session. The only difference is that you typically add the user ID in the session, in order to associate the user with the session.
You could thus, for example, let aninymous users shopping and add items to their cart in the session, and only ask them to authenticate once they need to pay (to retrieve their stored account). Or you could let them add items to their cart, and never authenticate them at all.
How can I prevent a single user from logging in to my asp.net website from more than one computer at the same time?
I have tried using the application server side state managenment but it is not work properly.
1) If you are Using Coookies to Track Users,
When a user logs in you write a unique guid to the database and store it in their authentication cookie, then every page request you check to see if they (GUIDs) are identical, and if not you log them off.
2) if not using cookies, Store the UserName, GUID in Application Cache, and user Session variable. Compare User Session to Aplpication Cache to see if he is already logged in.
I have a strange problem with my web application. I want to know when I store a value in a session variable like
Session["UserName"] = UserNameTextBox.Text
Will there be a Unique ID associated with this particular Session Variable assignment?
Thanks in anticipation
It will be assigned a unique ID for that user. When a user first visits your site, they will be a assigned a unique "Session ID", this is usually a cookie stored on their web browser, but if you configure it, you can also set the session ID in the URL if they have cookies disabled.
This unique session ID refers to the user's "Session" on the server side. When you use code like you posted, data is added (or updated if it already exists) to the session for that user, and stored while the session is still active so that you can retrieve it later. You can read this variable and write it as much as you want, and it will always be specific to that user.
It is worth noting that Session variables expire. Generally IIS/Web.config sets this limit to 20 minutes. If the user doesn't do anything on your site for 20 minutes (or a time you specify), then to save server resources, that user's session is erased. If you need to keep session active for as long as a user has a page open (say, if the user is filling out a form and it might take longer than 20 minutes), you will need to look into something like AJAX keep-alive requests, which are simple AJAX calls that just tell the server to keep the session alive, and not to delete it after 20 minutes.
Whatever you store in the session will be available only to the current user. Each user of your site gets a different session id and this id is sent with a cookie so that the server can identify the user. As noted by #Brad Christie at the comments section if cookies are disabled you could configure the session to use hidden fields or send the id as part of the url.
I am developing my login for my new homepage.
Now I found out, that I must save something like the userID (or another value that i can recognize my user) in the session variable of the browser.
At the moment I use INT for the userID.
So isn't it unsafe to put the userID in the session?
E.g. when I edit my session variable manual from userID 111 to userID 112, than I am logged in as a complete other user?!
Yes, it is unsafe to rely only on user ID.
You may wish to add a unique authentication token generated and remembered by the server. Also a very simple solution, but it will stop manipulating the user ID since the correct value for authentication token for the other user cannot be guessed.
You also need to submit both user ID and the corresponding authentication token at each request to be jointly validated on the server side, prior to performing the requested operation.
P.S. The above applies if you store this information in cookies which are accessible on the client side and can be manipulated. The viewstate (serialized in pages) can also be manipulated. The session collection is a server-side variable that is not available on the client so it cannot be manipulated. In this later case your user ID should be safe.
I would recommend you to implement the dual system: store the user ID and the token both in cookies and in the session and use the same validation logic (for simplicity). Should cookies be disabled you automatically fallback to using the session without changing your code.
The session variable is not stored in the browser, it is stored on the web server. (Typically anyway.)
A token indicating which session variable to use, is stored in the browser.
So storing the userid in the session variable is fine, as the user has no access to this directly.
If the user were to change the session token, to another one, that would be a problem, but they'd need to know the other token first. (I'm not sure how to do that myself.).
(You can further diminish this by using encryption, or other identifies like IPAddresses etc, it's really a case of how secure do you need your website to be?).
Also, if your site needs the user to log in, it's advisable to use https/SSL.
As Bravax says, the user does not have access to the Session variables (Cookies they do have access to).
If you are worried at all I would use a GUID instead as they are not sequential and nearly impossible to guess.
Also, have you looked at the built in stuff in .Net for authentication? Look at FormsAuthentication.
HTH,
Arry