I am using a Response.Redirect in global.asax.cs.
When the page loads the RawUrl property contains an encoded directory of some kind.
"/(F(D7zFAWNl_SpT-cuyRXksIZnvwBB_bYfBl3ens83McZjPg9zLBvcjvik6FkwBNhnjeK-faeUt6PUYOZSsYXKdg4hi4IDPTDO5diQf693NLpw1))/Integration/Workflow.aspx"
Where does this horrible directory come from?
It's breaking a bunch of user controls on the target page which use the RawUrl to get path information.
Why would Response.Redirect invent this horrible path and add it?
Is there any way around this?
Thanks
Craig
"(F(D7zFAWNl_SpT-cuyRXksIZnvwBB_bYfBl3ens83McZjPg9zLBvcjvik6FkwBNhnjeK-faeUt6PUYOZSsYXKdg4hi4IDPTDO5diQf693NLpw1))" is your session id or auth. id stored in your URL and not in a cookie. You can change this in your web.config file
It is the setting that is taken from the web.config as in the following location;
<authentication mode="Forms">
<forms loginUrl="~/en/Access/Login" defaultUrl="~" cookieless="UseUri" timeout="2880" />
</authentication>
If you set cookieless="UseUri", your session details will be appended to your URL instead of storing in a cookie.
Set cookieless="UseCookies" or remove the cookieless attribute to use cookie instead of URL for session details
Related
I downloaded one sample of asp.net.
And when I ran, I see that the link like that:
http://localhost/(S(1uld2ekua0uuilxlw15zguus))/login.aspx
Can you tell me where we have the string "(S(1uld2ekua0uuilxlw15zguus))"? I checked in the web.config, global.cs but I still don't know where we configure it.
I'm very appriciated for your help.
Thanks.
The string is session id.
What is session id?
Session Id is a unique ID generated by asp.net, to identify the current session.
You are seeing it in a link, because
in web.config file, you'll have this.
<system.web>
<sessionState cookieless="true"></sessionState>
<system.web>
If you don't need that in the url, you can just set cookieless=false
So, it becomes:
<system.web>
<sessionState cookieless="false"></sessionState>
<system.web>
Now, the session id will be stored in a cookie.
Can I write my code in the Session_End method when my session is timeout and I redirect users to the Login Page?
I am using Form Authentication method.
Currently I have create a "CheckSession()" method and calling on each page...
please suggest...
I've always placed the session check code in a master page for webform projects or, more recently, creating a base controller that has this method. Either way the goal is not to duplicate that code everywhere for obvious maintenance reasons.
I think you can manage this through settings in your web.config file without having to use code at all. Just ensure that the duration of your forms authentication cookie and your session are the same length. If your authentication session times out ASP.NET will automatically redirect a user to the login page.
Try:
<forms ... timeout="20" slidingExpiration="true" />
(slidingExpiration is true by default but I've specified it here because it must be true to replicate the timeout behaviour of sessions in ASP.NET)
and:
<sessionState ... timeout="20" />
The default document feature is turned off in IIS and here's the situation...
My start page for my project say is A.aspx. I run the project and sure enough, A.aspx appears in the url of the browser. Like it should though, A.aspx finds no user logged in and redirects to Login.aspx like it should.
A.aspx:
if (Session["UserStuff"] == null)
Response.Redirect("~/Account/Login.aspx");
The login.aspx shows up BUT when the user Logs in, the code:
FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, true);
always redirects to "Default.aspx" and not "A.aspx"
I've examined FormsAuthentication.GetRedirectUrl and sure enough it returns "Default.aspx"
I'm stumped????
In web.config you could set the default page using the defaultUrl attribute:
<authentication mode="Forms">
<forms
loginUrl="login.aspx"
defaultUrl="a.aspx"
protection="All"
timeout="30"
/>
</authentication>
http://www.codeproject.com/KB/aspnet/custom_authentication.aspx Follow this
If you're using FormsAuthentication, your settings should be defined in the web.config. It sounds like you have a default setting in the web.config for DefaultUrl. You shouldn't need the session redirect though. FormsAuthentication should perform this for you. It doesn't hurt to check the session and force a SignOut() if you don't find it, but FormsAuthentication should perform this redirect.
From my understanding, when the user is redirectoed to your login screen, the Forms Authentication mechanism will add the url of the page that the user was originally tring to access, to the login url that that they user tried to access. For example, if you had a login page: http;//bob/login.aspx, and a user tried to access http;//bob/showmethemoney.aspx, then they would get redirected to http;//bob/login.aspx?ReturnUrl=showmethemoney.aspx. So, if you use the ReturnUrl to redirect the user after the user logs in, the user will always be returned to the resource that they were originally trying to get to.
In javascript alert(document.cookie); does not show the .ASPXAUTH Cookie although a sniffer is showing it,
I need it because I have an AJAX Request to the server, the request should not take place when the user is already logged in,
if I cannot check .ASPXAUTH for security reason, what I should do to check whether the user is already logged in.
Thanks
The authentication cookie is marked with http-only, meaning it cannot be accessed by javascript. If you want to check is the user is authenticated, simply output a javascript variable, an hidden field or whatever you prefer from your code-behind. You can then check this easily in JS.
There is a .ASPXAUTH cookie set, you are obviously correct. It is used to determine if a user if logged in.
To get what you need look over your web.config for the config section:
<authentication mode="Forms">
<forms
loginUrl="~/login.aspx"
protection="All"
timeout="30"
name="ExampleSite.FormsAuthentication"
path="/"
requireSSL="false"
slidingExpiration="true"
defaultUrl="index.aspx"
cookieless="UseDeviceProfile"
enableCrossAppRedirects="false"
/>
</authentication>
When the user is successfully authenticated a cookie will be set based off the name="ExampleSite.FormsAuthentication" parameter. It will expire after logging out or after the session expires. You will see a cookie on Chrome/FFX or whatever browser you are using called ExampleSite.FormsAuthentication with an encrypted value. Obviously the name parameter you are using will be different and not ExampleSite.FormsAuthentication but you get the idea.
You could always check and see if the cookie exists. As mentioned be careful of the http-only (with relation to JS). As you can also override that value in the web.config so you can access it with JS.
<httpCookies httpOnlyCookies="false" requireSSL="false" domain="" />
What is the best way to keep asp.net or asp.net mvc session active until user logs out?
*User should be able to activate session even after browser or computer restarts...
In another words, what is the best way to implement REMEMBER ME...
You can set the timeout setting to a higher value, but you can't make the difference between a session_end caused by a timeout or by a user that ends his session.
The solution to your problem is probably to restore the user's session in the session_start method in Global.asax.
You can use membership provider for this purpose and set a cookie file at the user browser and check it for authentication
Another idea is to send keep-alive request in background via iframe / ajax / image tag every minute or so.
The best way to be able to do this is to use cookies in your authentication strategy to indicate that a user is logged in. Set your website to use forms authentication, and set the pertinent attributes to use cookies. It can be done in your Web.config file:
<authentication mode="Forms">
<forms loginUrl="Login.aspx"
protection="All"
timeout="30"
name="AppNameCookie"
path="/FormsAuth"
requireSSL="false"
slidingExpiration="true"
defaultUrl="default.aspx"
cookieless="UseCookies"
enableCrossAppRedirects="false"/>
</authentication>
For more information read this: How To: Use Membership in ASP.NET 2.0