I have a session variable which is accessed by multiple users through different pc's...so my question is do session variables overwrite when same login credentials are associated?
Session variables / objects are 'unique to users', also unique to browsers and are not over written by other users. You can read more about session state here.
Sessions are identified by a unique identifier that can be read by
using the SessionID property. When session state is enabled for an
ASP.NET application, each request for a page in the application is
examined for a SessionID value sent from the browser. If no SessionID
value is supplied, ASP.NET starts a new session and the SessionID
value for that session is sent to the browser with the response. Reference
Session Variables / Cookies are unique to Users/Browsers only. However you are confusing sessions with Application variables....which are Global to users. Sessions are generated via Webserver.
Related
I'm exploring cookies and sessions [I'm using them with respect to ASP.NET C# microsoft framework]
Learnt how sessions and cookies work here and here.
My take on it is like,
Once a user logs in and establishes a session, he or she is given a session id to track them further.
Also, this sessionId can be stored on a Server, like SQL Server or a InProc, meaning it is stored on the issuing server or on a cache, Redis Cache.
My question is like,
I can understand that the sessionId is stored in a memory and being sent with every request (since HttpSessions are stateless) as HttpHeaders.
When we talk about storing sessions in a memory, which memory are we talking about ?
If we are storing them in a cookie, what If I go and modify the cookie ?
If I can modify them, what If I change the sessionId and supply in a new sessionId ?
1. When we talk about storing sessions in a memory, which memory are we talking about ?
Ans: InProc mode, which stores session state in memory on the Web server (RAM). This is the default.
2. If we are storing them in a cookie, what If I go and modify the cookie ?
Ans : Only session id is stored in cookie. If you don't want to use cookies for session tracking, asp.net framework also supports it by appending it in the URL. If you change the cookie value, the server will not be able to identify the request with the stored session data. You need to understand the http is a stateless protocol, sessionid is the identifier of a browser for the request during roundtrips. If you change the cookie value, server will not be able to identify the request.
By luck if you supply a valid sessionid, server will serve the content stored in session against that id. This is called session hijacking
https://en.wikipedia.org/wiki/Session_hijacking
3. If I can modify them, what If I change the sessionId and supply in a new sessionId ?
Ans: If you are taking about the SessionId of System.Web.SessionState. It can't be changed as it is readonly. But you are free to change anything at the client side (Cookie or URL)
Namespace: System.Web.SessionState
Assembly: System.Web (in System.Web.dll)
public string SessionID { get; }
The session data is stored on the server, either in memory or in a database. This data is looked up with a sessionId that is stored in a cookie.
2/3. Modifying the sessionId is known as session hijacking, and allows you to "be" that user. This is commonly exploited with attacks like cross-site scripting (XSS).
To protect against hijacking make sure that:
The cookie is encrypted. There are ways for ASP.NET to do this for you, but this way it cannot be tampered with
The cookie is set to HttpOnly. This ensures that the cookie can only be sent over http requests and things like javascript - and thus XSS attacks - don't have access to the cookie.
If you are using something like ASP.NET Session State, change the default name of the cookie so it is not easily recognizable
Generally in asp.net we have unique sessionID for one request,
Example : Once you browse any website, during this entire browsing activity from one browser is considered as one Session, and it should only carry one Session ID
But here for my website for ONE Request Many SessionID's are creating in fraction of Seconds its 25000 within 1 day.. !
Can any one explain me some concept of how to control this generation of SessionIDs multiple times??
Ref
When using cookie-based session state, ASP.NET does not allocate storage for session data until the Session object is used. As a result, a new session ID is generated for each page request until the session object is accessed. If your application requires a static session ID for the entire session, you can either implement the Session_Start method in the application's Global.asax file and store data in the Session object to fix the session ID, or you can use code in another part of your application to explicitly store data in the Session object.
If your application uses cookieless session state, the session ID is generated on the first page view and is maintained for the entire session.
In my web application I am using sessions for storing the user specific data for persisting the data in between the postbacks.
I would like to know the difference between storing the data in sessions as
Session["selectedItem"] = somevalue;
and
Session["UserName"]["SelectedItem"] = somevalue;
where I have a session named Session["UserName"] which stores the name of the user who is logged in.
If i just go into more depth lets say if there are 2 users one logs into firefox and other internet explorer, will there be any conflict if i store the value in the first way meaning the session data is overwritten or shared, and this conflict would be resolved if i use sessions in second way.
Is there any noticeable difference in the way session variable is stored between these 2 session implementations or are they just identical ?
Data stored in a session is, per definition, stored against a specific user - and it will work regardless of whether your user has been authenticated or not (if your user is anonymous the server will still set a cookie in the user's browser with a unique id for the user's session).
The session object provides a simple one-dimensional collection for storing data, meaning that you can only store data in the session by providing a single key, e.g.
Session["myKey"] = myObject;
Of course, if myObject is an array or another collection then you can reference elements within myObject like this:
Session["myKey"][0];
Session["myKey"]["anotherKey"];
Sessions are unique per user, so there's no need to key your Session variables by user.
The session is generally tied to a particular browser through cookies and is isolated from other sessions.
Hope following points clear your doubts
You will get a new session/session ID when using different browsers
If you are using the same browser (tabs or multiple instances) and your session is set to use cookies, by default cookies will be shared among all tabs and/or instances of a browser
If you want a different session when using the same browser you will need to use cookieless sessions.
What is the difference between a Session and a Cookie?
What circumstances should each be used?
Sessions
Sessions are stored per-user in memory(or an alternative Session-State) on the server. Sessions use a cookie(session key) to tie the user to the session. This means no "sensitive" data is stored in the cookie on the users machine.
Sessions are generally used to maintain state when you navigate through a website. However, they can also be used to hold commonly accessed objects. Only if the Session-state is set to InProc, if set to another Session-State mode the object must also serializable.
Session["userName"] = "EvilBoy";
if(Session["userName"] != null)
lblUserName.Text = Session["userName"].ToString();
Cookies
Cookies are stored per-user on the users machine. A cookie is usually just a bit of information. Cookies are usually used for simple user settings colours preferences ect. No sensitive information should ever be stored in a cookie.
You can never fully trust that a cookie has not been tampered with by a user or outside source however if security is a big concern and you must use cookies then you can either encrypt your cookies or set them to only be transmitted over SSL. A user can clear his cookies at any time or not allow cookies altogether so you cannot count on them being there just because a user has visited your site in the past.
//add a username Cookie
Response.Cookies["userName"].Value = "EvilBoy";
Response.Cookies["userName"].Expires = DateTime.Now.AddDays(10);
//Can Limit a cookie to a certain Domain
Response.Cookies["userName"].Domain = "Stackoverflow.com";
//request a username cookie
if(Request.Cookies["userName"] != null)
lblUserName.Text = Server.HtmlEncode(Request.Cookies["userName"].Value);
sidenote
It is worth mentioning that ASP.NET also supports cookieless state-management
Cookie is a client side storage of your variables. It stored on client machine by browser physically. It's scope is machine wide. Different users at same machine can read same cookie.
Because of this :
You should not store sensitive data on cookie.
You should not store data that belongs to one user account.
Cookie has no effect on server resources.
Cookie expires at specified date by you.
Session is a server side storage of your variables. Default, it stored on server's memory. But you can configure it to store at SqlServer. It's scope is browser wide. Same user can run two or more browsers and each browser has it's own session.
Because of this :
You can save sensitive data in session.
You should not save everything in session. it's waste of server resources.
After user closes browser, session timeout clears all information. (default is 20 minutes)
A cookie is an identifaction string stored by a server (who has a domain) in the browser of the user who visits the server/domain.
A session is a unit of maybe variables, state, settings while a certain user is accessing a server/domain in a specific time frame. All the session information is in the traditional model stored on the server (!)
Because many concurrent users can visit a server/domain at the same time the server needs to be able to distinguish many different concurrent sessions and always assign the right session to the right user. (And no user may "steal" another uses's session)
This is done through the cookie. The cookie which is stored in the browser and which should in this case be a random combination like s73jsd74df4fdf (so it cannot be guessed) is sent on each request from the browser to the server, and the server can assign and use the correct session for its answers (page views)
The cookie allows the server to recognize the browser/user. The session allows the server to remember information between different page views.
Sessions are not reliant on the user allowing a cookie. They work instead like a token allowing access and passing information while the user has their browser open. The problem with sessions is that when you close your browser you also lose the session. So, if you had a site requiring a login, this couldn't be saved as a session like it could as a cookie, and the user would be forced to re-login every time they visit.
Its possible to have both: a database primary key is hashed and stored in a lookup table: then the hash is stored on the client as a cookie. Once the hash cookie (hahhahaha :) is submitted, its corresponding primary key is looked up, and the rest of the details are associated with it in another table on the server database.
The main difference between cookies and sessions is that cookies are stored in the user's browser, and sessions are not. This difference determines what each is best used for.
A cookie can keep information in the user's browser until deleted. If a person has a login and password, this can be set as a cookie in their browser so they do not have to re-login to your website every time they visit. You can store almost anything in a browser cookie.
Session is a server side object,
which transfer or access data between page call.
Cookies is a object which is client side/client machine which store some text information of browser and server.
There appears to be some confusion regarding what a session cookie is.
Firstly, when we are talking session cookies - it has nothing to do with ASP.Net sessions. Likewise, session cookies have nothing to do with server side processes or caching.
A session cookie is nothing more than a cookie that expires when the browser session expires. To create a session cookie - don't put an expiration date on it. Doing this stores the cookie in memory and is disposed of when the browser is disposed.
A) I assume Asp.Net allows you to reuse session identifier only if we operate in cookieless mode, but not if we use cookies to store session ID?
B) From my book:
By default, ASP.NET allows you to reuse a session identifier. For example, if you make a request and your query string contains an expired session, ASP.NET creates a new session and uses that session ID. The problem is that a session ID might inadvertently appear in a public place - such as in a results page in a search engine. This could lead to multiple users accessing the server with the same session identifier and then all joining the same session with the same shared data.”
I’m not sure I understand how reusing session identifier could cause session ID to appear in a results page in a search engine?
C) Continuing:
To avoid this potential security risk, it’s recommended that you include the optional regenerateExpiredSessionId attribute and set it to true whenever you use cookieless sessions. This way, a new session ID will be issued if a user connects with an expired session ID. The only drawback is that this process also forces the current page to lose all view state and form data, because ASP.NET performs a redirect to make sure the browser has a new session identifier.
Why needs Asp.Net to perform a redirect to make sure browser has a new session identifier? Couldn’t it just extract session ID from the URL and throw it away?
Thank you
A) No. When using cookie-based sessions, if a client sends an invalid session ID (from a stale cookie for example), the server will reject the ID, generate a new ID and send that value back in the cookie with the response.
Just to be sure I understand what you are saying:
When session is cookie-based and if you make a request, but your cookie contains a session Id of an already expired session, then server will generate a new ID?
But if session is cookieless ( thus ID is contained in URL ), then by default Asp.Net will create new session using that same ID?
C) The redirect is performed to ensure that the client received the new session id value and properly sends it back with the follow-up request. It's just a double-confirmation that occurs.
But why doesn’t it instead just put new Session ID in a URL and send it back. There must be a reason why this wouldn’t work and thus redirect is needed?!
A) No. When using cookie-based sessions, if a client sends an invalid session ID (from a stale cookie for example), the server will reject the ID, generate a new ID and send that value back in the cookie with the response.
B) When using cookie-less sessions, it's quite possible that a search engine could index a page with the session ID implanted in the URL. In this case, should a user click on the link from the search engine (and regenerateExpiredSessionid was 'true'), a new session would be created using the same ID. Subsequent users would also re-use the same ID should they click the link and if multiple users are browsing at the same time using the same ID, they would be overwriting each other's session values with each request.
C) The redirect is performed to ensure that the client received the new session id value and properly sends it back with the follow-up request. It's just a double-confirmation that occurs.