I have an asp.net login page, which when initialized sets some session variables. When the user clicks login, an AJAX request is made which validates the user and sets additional session variables and returns a result to the client. The client is then redirected based on the login result. In the redirected page, I can access the session variables set when the login page was initialized (i.e. before the login) but none are present for those set during the login validation (part of an ajax call).
is this expected behaviour? Why would an ajax call generate a new session and thus cause the data to be lost?
Thanks
Is the location for your ajax call in the same application space as the rest of the application?? If I remember right you can't share session information between applications. That may be what's going on.
Normally the browser sends the sends the session id along with ajax requests. If you use Firebug or something similar you can view the contents of the ajax request and check if the session id is sent along.
The session id is stored in a cookie, which (depending on options) can only be used for the same domain/host name. This could be a reason why it is not sent.
Depending on your code, I guess that if no session id was sent a new one is created.
The session id is stored in a cookie, which is returned in the header of the response. As you are doing an AJAX call, the cookie is just part of the response. If you want to use the same session for another request, you have to get that cookie and send it along in the header of the request.
Related
I am working on an ASP.NET website, and trying to track active Sessions.
I write to a log file whenever a session is created or ended via the Session_OnStart and Session_OnEnd events.
What I am noticing, is that when a user navigates to the webpage, it creates a Sessions with a Session Id for that user, like I expect, but when the user selects to log off, and gets redirected to the homepage, the Session_OnEnd is fired, but immediately after that, the session Session_OnStart is fired with the same SessionID.
Why is this?
Since the previous session ends, its ID is no longer valid (it does not matter if an end-user is logged in or not). As described in this article:
A new session automatically starts whenever the server receives a request that does not contain a valid SessionID cookie.
So, a new session starts for this user as soon as any his/her request is received after session expiration.
This is what Microsoft article says.
A browser that does not support cookies does not return the SessionID
cookie, the server creates a new session each time the user requests a
page. Thus, for each request, the server processes the Session_OnStart
script and redirects the user to the starting page.
Here's the problem...
My backend software sends user an email with a hyperlink that contains data (ie. "?dataName=dataYadaYada").
User receives email and clicks hyperlink
My ASP.NET app gets the request, processes data in queryString, and sends back response page with "THANK YOU" plus links to other pages.
PROBLEM: If user re-posts the page or clicks one of the page links, my ASP.NET gets same request again with same queryString, and mistakenly processes it.
How can my ASP.NET app recognize and skip a request that it has already processed?
The only solution I can think of is backend putting unique sequential number into the email hyperlink, and then ASP.NET storing this into session variable for detection of 2nd request of same queryString.
Is there better way?
Fairly simple - when you receive the request, record in your database that the dataname has been used, and check for it every time you receive a request.
If the dataname on its own is not unique enough then yeah append another parameter containing something which (in combination with the dataname if that makes sense) allows you to identify the specific email from which it originated.
P.S. using session is no good because it's temporary and lost when the browser closes. If the user clicks the email again in a new browser session it won't detect it. You need permanent storage like a database
I wonder how does ASP.NET check if an anti-forgery token is valid or not? Like where is ASP.NET storing those tokens? And how are they stored?
The short version is that a generated token is stored in 2 places: (a) cookie (b) hidden form value. When the form is submitted, these 2 values are compared against each other to determine if they are valid. For further reading:
http://www.asp.net/web-api/overview/security/preventing-cross-site-request-forgery-(csrf)-attacks
http://www.codeproject.com/Articles/793384/ASP-NET-Anti-Forgery-Tokens-internals
A stepwise explanation that is more clear than the accepted answer imho (from https://learn.microsoft.com/en-us/aspnet/web-api/overview/security/preventing-cross-site-request-forgery-csrf-attacks)
The client requests an HTML page that contains a form.
The server includes two tokens in the response. One token is sent as a cookie. The other is placed in a hidden form field. The tokens are generated randomly so that an adversary cannot guess the values.
When the client submits the form, it must send both tokens back to the server. The client sends the cookie token as a cookie, and it sends the form token inside the form data. (A browser client automatically does this when the user submits the form.)
If a request does not include both tokens, the server disallows the request.
The above description is not all what is done, in case of AjaxRequest the antiforgery, specifically in get requests, will not usually send the Form with the hidden value for comparison, instead you will need to set a header value with the same content of the cookie via javascript.. the header name that you should set is by default X-XRF-Token header [related to angularjs] ... of course you will need to disable CORS or enable it for only specific domains to protect the APIs, SAMEORIGIN also need to be set to avoid clickjacking ..
How AntiForgeryToken gets invalidated? I have set up this token to prevent CSRF attacks on my login page and have inspected it with fiddler. When i call GET method the token generates as hidden field __RequestVerificationToken. When i post login data should this token be changed on next GET call? I catch with fiddler this value with post data and reissue/replay request and this works. Is this good behavior, or this replay should not happen because token value should not be valid after i leave that form.
Thanks in advance.
The token is tied to a session cookie; when the session goes away and the cookie disappears the token will be rendered invalid. The reason replays work in Fiddler is that Fiddler is capturing (and replaying) both the session cookie and the form token.
You could simulate session expiration by removing the request's Cookie header from within Fiddler before replaying. The server should then reject the form's __RequestVerificationToken field.
I have an asp.net page i do authentication and authorization of a user and user can make several ajax requests from this page. What i want to ensure is that the request only from this page so i will store some data(or token)(possibly a function of userID + user IP address + current time) encrypted in the page aswell as in the session so the requests that come with this token will only get served. Does anybody have any idea of doing this? Help
You could store it in the ViewState. You will then need to send the value of the ViewState hidden field along with your AJAX request.