I am working on a website and this is my first web project.
Scenario for Session
I have created a database for my project with security level little bit high. I want to manage session for each and every user who is logging in to my website. Session state can be used using Cookie as well as URL, only one at a time.
Now I went over with all four session state modes.
i.e
1. InProc 2. State Server 3. Sql Server 4. Custom
Now after reviewing from all these modes I am in confusion which one should I use Sql Server or Custom.
Basically i want to store session related information in my own database instead of Aspnet_db which is a default database provided by microsoft. I have created all tables related to login and registration. But I dont know how to store session into my database.
What tables do I need to create so as to maintain into database.
I want to create a complete log of session and login related information into my database(Persistant atleast for 1 year).
I want to use machinekey as AES and SHA1.
<sessionState mode="Custom" cookieless="AutoDetect" timeout="15" regenerateExpiredSessionId="true" stateNetworkTimeout="10" >
</sessionState>
<machineKey decryption="AES"
validation="SHA1"
decryptionKey="7E047D50A7E430181CCAF7E0D1771330D15D8A58AEDB8A1158F97EEF59BEB45D"
validationKey="68B439A210151231F3DBB3F3985E220CFEFC0662196B301B84105807E3AD27B6475DFC8BB546EC69421F38C1204ACFF7914188B5003C1DCF3E903E01A03C8578"/>
<add name="conString" connectionString="Data Source=192.168.1.5; Initial Catalog=dbName; Integrated Security=True;" providerName="System.Data.SqlClient" />
What all things do i need to specify in webconfig ?
My Data Source= 192.168.1.5
Database name= db.mdf
What I need to know about
What tables do i need to add to my
database to store session related
information. eg. Session id (Any
other field is also stored or not),
Session Time, Session Start Time,
Session End Time, Session Expire
Time. I dont know what all things
are usually taken.
Do I need to encrypt Session Id
before storing into database. If Yes
Encryption will be automatic or do i need to write some code to do this other than that I wrote in web config above.
How mode='custom' will be used into
web config using my database.
in following code
<sessionState mode="Custom" cookieless="AutoDetect" timeout="15" regenerateExpiredSessionId="true" stateNetworkTimeout="10" >
</sessionState>
If you're using the SQL Server session provider, you should run aspnet_regsql to create the tables you need:
aspnet_regsql –E -S localhost –ssadd –sstype p
(replace localhost with .\SQLEXPRESS if you're using SQL Express)
You can also specify a custom DB name with the -d flag if you don't want the command to create the aspnetdb database. You can also run the command without flags to use wizard mode.
If you want to build a custom session provider (not a small task), you might start by looking at the script that's run by the command above:
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallPersistSqlState.sql
Although it depends on your requirements, generally encryption of session state doesn't add much value. However, if your data is particularly sensitive, then it might be worth considering. Note, though, that the biggest risk with session state normally isn't on the DB side, rather it's on the client side, with one user being able to steal a session from another user, by getting access to their session cookie. Because of that, before I resorted to encrypting on the DB side, I would at least use SSL for all pages that reference the session cookie.
In case it helps, I cover many aspects of customizing session state in my book, although I stop short of demonstrating a full custom provider: Ultra-Fast ASP.NET.
Question set 1:
Depends on how you implement your provider. MSDN will tell you how to do that.
I would say no, but I'm not a security expert.
Set 2:
What do you mean?
Related
If we want to store sessions in SQL Server, which table stores the sessions?
To implement ASP.NET SQL Server mode session state management, you must modify the element of your application's Web.config file as follows:
1.Set the mode attribute of the element to SQLServer to indicate that session state is stored in SQL Server.
2.Set the sqlConnectionString attribute to specify the connection string for SQL Server. For example:
sqlConnectionString="data source=MySQLServer;user id=<username>;password=<strongpassword>"
Note The user, , must have permissions to perform this operation on the database.
The modified element should appear as follows:
<sessionState
mode="SQLServer"
sqlConnectionString="data source=127.0.0.1;user id=<username>;password=<strongpassword>"
cookieless="false"
timeout="20"
/>
The question is that is there a particular table storing the sessions?
Store session in SQL Server is a vague concept.
Thanks.
You're supposed to run the ASP.Net SQL Server Registration Tool first. The tool will create the appropriate session state tables.
To use SQLServer mode, you must first be sure the ASP.NET session state database is installed on SQL Server. You can install the ASP.NET session state database using the Aspnet_regsql.exe tool.
Aspnet_regsql.exe is located at
%windir%\Microsoft.NET\Framework\v4.0.30319 ( 32 bit systems .net framework 4 )
Follow the following link to see how to add session table
How To configure SQL server to store session state
The other answers are correct in that you should use the Aspnet_regsql.exe tool to create the session database for you. But out of interest, once that is done, you can find all sessions stored in the temp sessions table.
For instance, my session database is called ASPState and the table of interest is called ASPStateTempSessions. ASP.NET calls the stored procedures to manage the sessions in this table.
In my asp.net application I have a few session variables. Seems like only a few minutes on the localhost and also web host, they lose value. This happens periodically not all of the time. I do have cheap go daddy, web hosting, and that could be the problem on the web server. Thank you for any help, this is a big problem.
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="3600" defaultUrl="~/" name="" />
</authentication>
<sessionState mode="InProc" cookieless="false" timeout="80" />
public static User User
{
get
{
User userLogin = null;
object sessionVar = Session[USERLOGIN];
if (sessionVar != null)
{
userLogin = (User) sessionVar;
}
return userLogin;
}
set { Session[USERLOGIN] = value; }
}
There's a strong chance that your session is being wiped out on the server from the application pool being stopped and started, timeouts, or a host of other things. The main point is that session variables solely by themselves are unreliable persistent mechanisms.
If you need information to persist for a logged in user, try storing a cookie on the user's machine and if the session is null, repopulate it from identifying data in the cookie.
If I could comment I would, apparently I am not special enough ;P lol. I have to agree with KodeKreachor and Aristos on both points. I am not sure why there is a business/reasonable need to have the session state kept in memory.
To add to the points, mostly because I hate cookies, you could roll a solution to keep session states logged in a light weight database. I mean it really is all a cookie is for, flat file database record of information. SQLite might be a good solution, though unless I can find otherwise, you are rolling your own solution on that. Yes, as a loving Godaddy supporter, their cheaper services have a LOT to be desired. There is little to no control over what the system is doing with their shared hosting. My experience of hours talking to their tech department about what is and is not allowed can tell you that.
I would also mention that you might want to add some very verbose logging into the system using a solution such as Log4Net and then parse the logs for information on what is actually happening when the session state is being wiped. Then armed with that information move forward to find a much more clear solution.
Or just go easy on yourself and use cookies ;)
Just modify this for SQLite =D
HOW TO: Configure SQL Server to Store ASP.NET Session State
Of course here is a SQLite Session State Provider
SQLiteSessionStateStore
Apache Log4Net
Great Tutorial Series on using Log4Net by BeefyCode
I follow the direction in here How to configure SQL Server to manage ASP.NET sessions to create ASPState db.
I have 2 web application in IIS 7. In IIS web application setting, i go to "Session State" and set session state as "SQL Server" and provide connection string.
In each web application web.config, i add
<sessionState
mode="SQLServer"
allowCustomSqlDatabase="false"
sqlConnectionString="data source=server;user id=user;password=password"
cookieless="false"
timeout="7200"
/>
I create a session ,
Session["Data"] = "test"
in Web App A and go to Web App B in the same browser to print it
Response.Write(Session["Data"]);
It shows NOTHING. I can see there are data in table : ASPStateTempApplications and ASPStateTempSessions under ASPState Database. Also, i dont see any error in event log. Can anyone think anything i may do wrong?
Thanks!!
You can not get session that belongs to App-A from App-B and vice versa.
The sessions are connected with the cookies, and the cookies are different between app-a and app-b, are random made. Even if set some how the same cookies then next the database connects session with the Application ID, that are also different for each applications.
So even if you have the same database, the application id is different, and the cookies are different, and you can not get session from a to b.
The only possible way to archive that is to make your custom session code, and some how knows that you have the same use on app-A and app-B, so to connected them together.
When I update an ASP.NET Website [note: it's not a Web Application] running on a customer server by overwriting it with the latest version it currently kicks all the users off.
I'd prefer to be able to deliver a new version of a site without kicking off users - is there a way to minimise the chance that users will get kicked off? [apart from the obvious one of waiting for a time of low-usage]
If I moved from InProc to Session State I guess this might do the trick - but is there any other method?
Chaning away from InProc Session State should help.
The problem now is that any time your app is reset in IIS (overwriting the web.config will cause a restart), the IIS Worker process restarts and clears your session info.
Check out this MSDN Page to read the limitations of In-Process Session State:
Session State - MSDN
I think additionally to what you are suggesting, it will be appropriate to display an "update in progress..." page instead of kicking off users. You can do that by changing your web.config file.
Session IDs are valid for the lifetime of the application pool, or until (I believe) 20 minutes following the last page request from the client in question. This is configurable in web.config:
<configuration>
<system.web>
<sessionState
cookieless="false"
timeout="20"
</sessionState>
</system.web>
</configuration>
If the application pool is recycled, files within the application are updated, etc, your session IDs will be invalidated. For this reason it is considered wise to deploy your site during off-peak hours.
Design your application to not rely on the existence of session state variables. Use cookies for authentication (or integrated auth) and check for session variables as you use them; reload them if they don't exist.
Is there any way to retrieve the SSL session Id serverside in asp.net?
the short answer is no. This is an intentional limitation of IIS, so as to prevent people from taking a dependency on something that isn't dependable.
Out on the market, you will find various hardware load-balancers that will offer features like server persistence based on SSL Session ID, but they don't work very well because SSL renegotiation can happen at any time. In Internet Explorer 8, for example, a new SSL session is negotiated for every tab that is opened to a web site. You can expect similar behaviour from other multi-process browsers. So, I must stress that you should not use SSL Session ID for any kind of user identification purposes.
That said -- If you really need the SSL Session ID information for some specialized task, I recommend using Apache, mod_ssl and mod_proxy as a front-end to your IIS system. With a bit of fiddling, you could coerce mod_ssl into giving you the session ID, which you could then add to a proxied request to your IIS server as a query string parameter.... or you could store it in a database.
Tim,
Are you really "just" trying to retrieve the Session ID string or do you maybe lose all session information when switching to SSL? this would be a quite common problem, because the session on serverside is lost when using "InProc" session storage, and the session cookie on the client might be lost when not stored in a common domain.
Therefore, you should switch to state server or sql server session management in Web.config file, for example:
<sessionState mode="SQLServer"
cookieless="true"
regenerateExpiredSessionId="true"
timeout="30"
sqlConnectionString="Data Source=MySqlServer;Integrated Security=SSPI;"
stateNetworkTimeout="30" />
Beside that, I don't really know why you shouldn't be able to retrieve HttpContext.Current.Session.SessionID also in SSL mode as well.
Some MSDN Links:
MSDN: HttpSessionState.SessionID Property
MSDN: ASP.NET Session State Overview
Maybe this helps somehow.
Best regards