How can i allow multiple tab browser sessions? I've done research and found this line of code:
<sessionState mode="InProc" cookieless="UseUri" />
I was not allowed to use this because the url was displaying the session id on every tab. Are there any other way else i can allow unique session id in multiple tabs? Does any other state managements available is able to work in multiple tabs?
You can't. Whatever session method you're using, it will still be possible to get the same session into multiple tabs, and impossible to detect on the serverside that a page has been opened in a new tab.
Regardless of whether you're allowed to use it or not, the UseUri session management method won't help. If a user tries to open a link in a new tab rather than in the current window, you [a] have no way of detecting this on the server-side, and [b] you have no way on the server-side to create a new session, transfer the page execution to this new session, all whilst keeping the current session intact.
Related
I have a Layout page which sets up the list of Projects in the application using Telerik's ComboBox as shown. The combobox allows user to select a project he/she wants to work on.
Once a selection is made, I want all subsequent actions in the application should correspond to the selected Project. I can preserve the Project information in a Session but then if user chooses to open this in a new tab and in 2nd tab users switches to a different Project and comes back to the first tab and refreshes the page then the session information (Project) would have changed which will create issues in my application.
So, what is the best way for me to persist Project information of the Layout.cshtml controls so that I can use it in my application such that every page that is rendered uses the currently/correctly selected values.
Tempdata / QueryStrings came to my mind but i don't know whether they will be reasonable solution to my problem. If yes, then how should I use them generically (specially querystrings) without complicating my solution?
localStroage and sessionStorage also seems like relevant solutions but then how do I use them in scenario where user opens a new tab from existing page? How will the Project # will persist on the newly opened page/window/tab?
something like this is achievable, if you make sure the url changes when a selection is made.
So let's say you select project C-1379 in your dropdown box, at that point your url could become http://localhost:58692/pid=C-1379.
from now onwards, your page can load the desired data, retrieving its required information from the query string. Do not use session or localstorage or anything like that as it won't work.
This way, you can still load your list of projects in your layout page, and you can select one based on the query string value and then load some default values via api calls to the back end.
If all your work from now on is done based on api calls, for example, you have some properties that you change and then you issue a POST to update said details then this is very easily done as well.
telerik controls usually have some events associated with them. the one you are using should have an onChange or something like that. This where where you would update the query string with the value of the project selected and then you can proceed to do what you need
I can preserve the Project information in a Session but then if user
chooses to open this in a new tab and in 2nd tab users switches to a
different Project and comes back to the first tab and refreshes the
page then the session information (Project) would have changed which
will create issues in my application.
I would have thought this is the desired behavior... take stackoverflow.com as an example, if I change my username in one browser-tab, I would expect my username to be updated in other browser-tabs as well... and that's what happens if I refresh my other tab.
There is no built in solution for maintaining user info in different browser tabs separately... the only way to achieve this, is by sending project name back and forth in the URL... but then you would loose this info if user changes the URL... In my opinion, this is an ad hoc solution and does not worth the effort of development, because it's a very uncommon scenario.
Getting to your options:
Storing user info is a very typical use case for session variable.
TempData is stored in Session by default. Though you can write
your own custom TempDataProvider and store it somewhere else (e.g.
database, cookie, etc). See Brok Allen's Cookie TempDataProvider
as an example. One advantage of using Cookie is that you send your
session variable back and forth with the request so you don't need to
worry about Sticky Sessions.
You can of course use a permanent storage, such as DB/Disk.
If the project name is not a sensitive info then I don't see any issue in passing it in Query String.
I have an ascx. In this ascx, I have any number of controls that I can interact with and set a session variable and it works as expected.
However, when (in the same control), I try to set session in page load, I get a different error depending on how I implement it:
System.Web.HttpContext.Current.Session("Test") = "Test"
It says that, summarized, the Session object is nothing.
If, instead, I say:
Session("Test") = "Test"
It then tells me that I need to enable session state in either the page or web.config. I have indeed checked and session is enabled in the web.config and furthermore, those session statements that are called in response to a click on a runat="server" control works fine.
At this point, I'm almost certain that my issue is because I lack knowledge on the lifecycle of the page and session object. So I therefore have two questions:
Why isn't this working as I expect? I suspect that I'm trying to call Session before some other code which makes it available is executing but what might that be?
How can I make it work so that I can store information in a session variable on page load (and subsequently clear it on page unload)? If I cannot make this work as I hope, how can I do something similar server-side?
The problem was caused by having multiple tabs in the same browser open.
To clarify...
Say maybe tab 1 is open to the page before where I tried to set session because I'm debugging and lazy and didn't close other tabs.
And then maybe tab 2 is the current tab that just opened when I started debugging. The only code change is where I'm trying to set a session variable.
There are now two tabs open with conflicting session state data. When the current code tries to set session, it is in conflict with what is being sent back and forth to "wherever sessions live". Or maybe it doesn't really work that way but closing the old tabs opened with "older code" and having only tabs opened that face the "new code" solves the problem.
I know this question has been asked before but I have not found a complete answer. When the user selects duplicate tab in IE it appears the current tab gets its url(with cookless session id) from the current window. Then the two tabs are sharing session values.
I have tried checking the referrer for null, but on the Duplicate Tab command in IE that value is set to the current tab.
The only workaround I see is to get rid of session.
The last tab gets the latest session info, sessions are based on browser instances, not tabs, that is ust how they work. You are fighting a losing battle.
You could map the same site to two different domains. When your users want to open a second session, they can access the second domain, which will create a second session.
I'd like to stop IE8 from sharing my sessions in one of two ways (or both if possible):
Through configuring the browser to always do this (so I can force my users to configure their browsers in this way).
Through code in my web application.
Thanks.
Instead of storing data in the session directly, create a custom tab-level session upon demand and store everything there. When a new request for any page comes in, create a Dictionary<string, object> to use as the tab-level session and then store it in the session based on a unique key. Pass this unique key from page to page either in the viewstate or url.
However, you need to prevent users from opening links in a new tab (which will make them mad, so this really isn't a good thing to do anyways). To do that make sure all links are postbacks only.
What are the different ways of communication between asp.net page and a popup page? Query strings etc. Which is most secure?
You say "communication between" the pop-up and the main ASP.NET page. First, I assume that the pop-up is an ASP.NET page as well so the communication from the main page to the pop-up is no different from the communication from one page to the next in a series of pages. That is, you can store and then use data in the session (if the data is available when the main page is loaded), via query strings, etc. Unless the data is sensitive, the simplest way by far is to include a variable in the call to the pop-up that is replaced by the appropriate arguments. Here is a sample image link:
<img style='cursor:hand;' alt="Open Note" onclick="javascript:window.open('NoteEdit.aspx?T=3&UID=<%#NoteUID%>', 'Note', 'HEIGHT=400,WIDTH=420');" src="images/Note.gif" />
Note the "NoteUID" replacement argument.
The more interesting question is how to pass information back to the window that popped up the pop up. To do that, start with this javascript:
<script type="text/javascript">
function OpenHRAResults()
{
opener.location.href="<%#DestName%>";
window.close();
}
</script>
This is taken from code where I re-open a specific page but, as you can guess, you can do all sorts of things with the "opener" window (the window that popped-up the pop up).
Hope this helps...
If you are talking about an actual pop-up page, where you are using window.open from javascript. You have the querystring and Javascript as your only real available options for passing information between.
As for "security" of this. The users will be able to see anything via a querystring, JavaScript can move values across, but they would be existing on the other page. But you could pass something like an excrypted value to make things more secure.
We try to avoid query strings where possible in sometimes they are just too convenient. In those cases we always encrypt the querystring. There are several ways to do this - example of one approach:
http://www.codeproject.com/kb/web-security/querystringencryptionnet.aspx
A few methods
Query strings (window.open('/users/123'..)
Javascript (window.opener)
HTTP POST (open a popup via javascript, set the form target to it's name as target and post)
Sessions or other server side methods
In answer to the security consideration I'd say that query strings in combination with server side security is the way to go. Open the popup passing the information via query strings, then validate that the logged in user has permissions to access that user. Some specific requirements would call for encrypting the querystring data.
For delete operations I'd probably use a postback to avoid problems like "my indexing spider deleted all users".
You don't need to sent the real data to the popup window. Just create a GUID on the opener page.
Create a class in asp.net which represent all the data you need to sent between the popup page and the opener page. For example popupdata
Store the serialized class in the Session with the GUID as the name Session[Guid] = class object
Session[Guid] = popupdata;
Open the popup with f.i. ~/popupwindow.aspx?PageID=Guid
Retrieve the session object with calling the Session[Guid] again (Guid is coming from the PageID querystring.
so on the popup page call popupdata data = (popupdata)Session[Guid];
And then do whatever yuo like withthe data.
If data is changed on the popupwindow you can store it in the Session variable again
and send it back to the opener...
Very secure since no data is sent to the client.