I am using sessionstate stored in stateserver in asp.net. I have a link on header that displays users login id.
Problem:
When session expires in stateserver my application still displays loginid and it throws an error when hits code that depends on value stored in session.
Looks like asp.net has no idea when session expires on stateserver and continue working on same session with value saved in cookie in user's browser.
To tackle this problem in another application i am checking for session with each request and expire user's session if it's expired in sessionstate.
I am not sure i am doing right thing here. Isn't asp.net suppose to keep session data saved in cookies synced with session in stateserver?
Could you please explain what would be best practice to handle this?
The right practice is to "find" the user's session each time you receive a postback. And right then and there, if you can't find it, report an error that their session has expired and they need to log in again.
If you are using ASP.Net Webforms, you can consider the Load event of the page or control to check whether the session has expired. Here's the relevant code
if(Session["yourvar"] == null)
ShowError();
Thanks For all answers,
By Default my session timeout value for form authentication were higher then sessionstate. That made session on sessionstate expire and cause issues. I think keeping form authentication value little lower than sessionstate would be the best practice.
Related
I have a web application (.net VB code) that utilizes session variables to store the username (here login name) and the profile (admin/client), authentication is handeled by asp membership. The application then relies on these session variables on the load events. This application has been running fine for a couple of years. However, recently users complain about occasional error messages after logging in and attempting to load a new page that needs one of these variables. It happens most frequently Chrome, but also IE and Firefox.
Users that experience the error need to log out and clear the browsing history, after that it works again. The error is not easy to replicate - I was able to trigger it on my machine 'violently' using the 'back' button a couple of times that eventually tripped it - then I had to clear my browsing history to get the application to work again.
What might cause this to happen?
the session gets set on the load event of the 'login' page with 'Session("Type") = "Admin"' and subsequent pages check for the value of Session "Type"
I understand that I could use a cookie instead, but I chose not to for security reasons. Could this be prevented using a cookie instead? or do I need to use the membership.getuser method to get the username and then look up the values in the database? That does not seem efficient.
Ideas?
FYI, the ASP.NET Session ID is stored in a cookie that travels back and forth with each request/response. The actual session state values for a given session are not stored in cookies ... they are stored on the server only. They could be stored in memory, or in a SQL database, depending on how you've configured ASP.NET Session State.
But Session State can get destroyed for a variety of reasons. IIS might suddenly decide to restart your Application Pool, for example, in which case all your Session State would be gone.
Basically, you need to write your web app to always handle the possibility that Session State may be empty. If it is empty, then you probably need to redirect the user to the login screen to enter his credentials again.
Clearing the browsing history should have no effect, so I can't explain why that would help get past the problem.
I am implementing site with login via facebook.
I call FormsAuthentication.SetAuthCookie(response.email, true); after facebook authenticates user.
Form authentication timeout is set to 129600 (3 month).
Should i set session timeout to the same value?
As far as I understand session timeout should be as few as possible.
Is it normal if session timeout less then form timeout? (for example form 129600 session 30)
I know that there are many similar questions, but this problem isn't clear for me.
Thanks.
You're using cookies for authentication, your server session doesn't matter. A potential problem is that if you store data on Session object and it expires, that could cause troubles to user since functionality depending on this data would probably fail.
If you handle server Session expiration properly, you won't have any problem.
I had a query on behavior of an ASP read only application using a custom Session State provider.
I assume, for a normal read-write application/web-page the session will be recreated after the expiry as long as the client has sent a session cookie. The runtime may opt to change the session identifier at this point, but it normally won't. What about Read-only applications? Do they follow the same behavior? If they are recreated, Can they update these sessions?
Thanks,
Alfan
EDIT
This problem seems to have strangely disappeared. There must've been something funky with my environment. I'm voting to close this question.
When a user logs in, I inflate the session with a bunch of data from the Login page code-behind. Then I redirect the user to a different page in the application. I also have some session recovery logic which re-inflates the session based on the auth ticket when the user's session expires.
What seems to be happening is that I inflate the user's session with a bunch of data from the login page, then redirect them, and the request for the page to which I redirect them doesn't seem to have the session, so the application has to re-inflate it. I don't understand this - I've looked at the cookie and the session ID is not changing, and I am not resetting the session data anywhere in the code. Is this an ASP .NET 'feauture'? I'm using ASP .NET 4.0.
Edit:
To clarify: The session is inflated during the login request (on the click even of the login button). During the next request, it doesn't appear the session is populated any longer, so I end up having to re-inflate the session. Any requests that user makes after that, the session seems to "stick" and I have the properly inflated session for subsequent requests.
To answer your question SessionState data is independent of login/logout.
There are several reasons why data might "disappear" from SessionState.
If you are using InProc SessionState on a web farm, the user may have a subsequent request be served by a different machine in the farm.
SessionState can clear if it gets too full (like a cache).
If you are using a custom SessionStateStoreProvider, it may not be saving/retrieving the SessionState properly.
I have an ASP .NET information and I currently have session state turned off so I can't exactly hook into the session start event within the Global.asax. I want to get at this data, when someone comes to a site, and when they would normally start a session. What is the event that is fired to start a session so that I could hook into it and get at that data?
Without having sessions turned on then every request is a new session. So whatever event you like :)
Unless you're dropping a cookie which acts as a session cookie then there is no way to know if a visitor has been there before.