Here's the situation:
User1 logs in with IE to the web site. Once they pass authentication they go to the default page (page1). On page one, user makes a selection which results in a querystring with parameters, and goes to page 2 as specified in the querystring.
User2 logs in with Chrome (I want to be sure they have a different session). Once they pass authentication they go to page 2 and the querystring is the same as the first user's querystring. Same parameters, and they've bypassed page1!
Looks to me like the querystring is being stored at the application level.. but I thought user sessions should always be truly isolated from each other. I have the same problem with session variables- crossover between users.
Is there a way to guarantee unique sessions as users log in? Any other suggestions? Using C#.net
Thanks,
I overcame this by pulling an all nighter and experimenting with IIS7 configuration. I defined a simple test which showed the error (login with IE, click a button, leave session up, launch safari, login). Then I went through every permutation of session state config and retested.
In the end, Session State Mode settings are now: In process, use cookies, name: ASP.NET_SessionID, timeout = 20, regenerate expired session ID = false, Use hosign identity for impersonation = true.
What can I say, it's working!
da
Related
I use session base authentication in my asp.net MVC website. Any time users that already using website will be logout in short time, cause of changing session id automatically, and it make trouble for them.
How can i stop session id changing?
in this pic you can see log of an user activities.
sql user loges
this problem happened when in any redirect of my website, redirect between "http://www.blabla" and "http://blabla". when change user URL requested, changed his session id and ...
i modify my code and use just "http://www.blabla" in my redirects.
I am having problem in session management in my asp.net. I am logging out of the admin and user account, but as i am pressing the forward button of the browser, the page is redirected again to the User/Admin account. I already destroyed the session i created for storing the username, everytime i am clicking the log out button.
In every page you have you should implement a small if sentence in the Page_Load that checks if the Session is null like so:
if(Session["User"] == null)
Response.Redirect("~/Login.aspx");
Make sure that when you log out, you make sure that the Session is set to null.
If you are using the default template of Visual Studio this may help you:
if(!HttpContext.Current.User.Identity.IsAuthenticated)
{
Response.Redirect("~/Login.aspx");
}
There might be two problems here:
First Problem (Server Side):
Using Session to store authentication and authorization is a poor way to design the application. Use the ASP.NET Authorization and Authentication(FormsAuthentication) framework to do this. This way, your application can use client side cookies to store authentication information, and can allow only certain users to access certain pages in your application(using Authorization).
Session data is lost each time the ASP.NET recycles the application pool(which might happen at random). This is potentially dangerous and can cause NullReferenceExceptions during usage.(This happens if Session management is inproc which is the default)
Second Problem (Client Side):
Usually, the browser caches the page, so the Page_Load will not be executed on the server side. To work around the problem, you can add this code in Page_Load event on each page if you want to(or add it to a Master Page) :
Response.Buffer=true;
Response.ExpiresAbsolute=DateTime.Now.AddDays(-1d);
Response.Expires =-1500;
Response.CacheControl = "no-cache";
And, then, the Authorization|Authentication part of ASP.NET will gracefully redirect you to Login.aspx page, if, the user has been logged out.
Using some more code, you can even redirect to the homepage for a particular user, if the user is already authenticated based on a certain roleID.
Is it possible to allow only one concurrent login per user in ASP.NET web application?
I am working on a web application in which I want to make sure that the website allows only one login per user at a time. How to check that the current user already logged in or not?
Please suggest proper login method by which we can handle this problem. I think we should use SQL Server session state to handle this problem. What do you suggest?
I thought of one solution for it. We can do something like:
When the user logs into the system then we insert session id in user column. (We will use database session so that we can get all session related data like isexpired, expiredatetime etc easily).
When the same user tries to login a second time then we will check for that session id column and check that session is already expired or not. If session is not expired then we will not allow user to login.
Update user session ID every time when user logs out.
Please suggest whether this is the proper way or not.
Please refer to:
When the same user ID is trying to log in on multiple devices, how do I kill the session on the other device?
Out of the box, .NET does not support this. .NET allows for concurrent log-ins, as I'm sure you're aware.
I had this same exact requirement, and came up with a pretty slick solution, demonstrated in the link above. In a nutshell, my requirement was to only have one user log-in happening at one time. If that same user ID tried to log in elsewhere, then it killed the session for the first log-in by checking for an existing log-in under a different Session ID (this enabled the user ID to be logged in from multiple instances of their web browser on their computer [same Session ID], which is common, but not from a different computer [different Session ID] (possibly due to someone that stole their credentials, for example)). Through modification of the code you could probably change the behavior of this - i.e., prevent the second log-in attempt instead of killing the first log-in that's already active and in use.
Of course, it may not fit 100% to what you're needing, so feel free to modify it to fit your needs.
You can create a cache entry per user and store their session ID in it. Session ID will be unique per browser session. In your login page, you can create that cache entry when they successfully login:
if(Cache.ContainsKey["Login_" + username])
// Handle "Another session exists" case here
else
Cache.Add("Login_" + username, this.Session.SessionID);
(Code typed in textbox without syntax check. Assume "pseudo-code".)
In global.asax you can then hook into the Session_End and expire that cache entry of the user. See this for the global.asax events.
if(Cache.ContainsKey["Login_" + username])
Cache.Remove("Login_" + username);
You could add a flag column in the user table that indicates that a user is currently logged in.
When a users attempts to log in you check the flag if it's true (that users account is already currently used) then you don't allow the new user to log in, if the flag is false the users is allowed to log in as there account is not being used by anyone else at this time.
Be aware though that unless the uses actively logs out, you cannot know when the users moves on to something else (goes to different website or closes the browser, etc.) so you need to set some kind of session timeout that will automatically log out the user if there are no new requests within a specified time period.
This means that if a users closes his/her browser and try to log in on a mobile device for example, he/she will be unable to log in until your specified session timeout runs out, so give the timeout a bit of thought as you don't want the user to get logged out to quickly (if he/she is reading a long page, etc.) and you don't want the users to be unable to log in on another device for hours if he/she forgot to log out before leaving the home.
The login credentials are stored on the cookie, so to know if the user is logged in you need to keep this informations on server, prefered on a database because the database can be the only common place among web garden or web farm.
What you can keep, is on a table, that the user A is logged in or not, flag it that is logged out, maybe last user interaction to have a timeout, etc...
So let say that the User A, is logged in, then you open a flag on the database for that user, that is now logged in, and if is try to logged again, you keep him out.
To make this work you need to either say to your users to log out, or to keep a time out, similar to the time out of the credentials.
If You are using identity system this link will help you how to single user login on multiple device.
Prevent Multiple Logins in Asp.Net Identity
I have tried they work fine in my Asp.net Mvc Project.
Solution can be this way:
Add new column in your login table GuidCode.
Step 1 : When logging in check if the GuidCode in database is null.
Step 2 : Update GuidCode by new guid and also store it in the session.
Step 3 : If it is not null then take guid from the session and compare with database GuidCode value.
Step 4 : If it is same then allow login:
In my application every time a user lands on my website I check that user with it's session ID and make a insert(with all the details ip,browser etc) into the database if its a different session ID.
string sessionId = HttpContext.Current.Session.SessionID;
if (objDB.checkDuplicate("session", "sessionId", sessionId))
{
// code to make insert in database
}
But when checking database I am getting multiple inserts from same IP at the same time.
Can anybody explain why this happens?
NOTE : SESSION of the user is different so checkDuplicate() works fine but how can a user have a different session ID at the same time? (or such a sort span of time)
Most probably it's multiple people sharing the same connection over a router or proxy server.
More reasons (being behind router/proxy is most likely one) to have different session Id for same IP
restarting browser will make new session Id for the same user (as long it is set in session cookies)
opening separate browsing session (i.e. normal vs. private for IE, depending on configuration and browser tabs may be treated as separate sessions)
different users on the same computer
Another set of reasons for different session Id is based on failure to set persist session cookie between requests:
I think if there is no writes to ASP.Net session state cookie can be regenerated on every request (need to verify)
cookie could be disabled (rare, but possible)
cookie can be blocked (i.e. lack of P3P policy for pages/images in IFrame) or some other policy in browser
There are valid reasons to get multiple browser windows for the same sessionId for the same user (tabs in same "browser session", "open in new window/tab" with Ctrl+click ). You as site creator have to decide if you want to try to enforce "single session = single window" policy or deal with potentially multiple windows opened in the same session. There is no reasonable way I know to detect case when same session Id is used in different tabs, especially if you have to support GET requests (otherwise you can dump some addition ID into hidden field).
I have an ASP.NET MVC application running on IIS7. I use sessions to keep track of logged in users. There is a session named IsSignedIn. ("true" means this user is currently logged in).
I also have an administration page for my application.
Now, say user1 who is signed in already, must be suspended from using the service immediately. So I want to invalidate the session variables set for user1 from my administration page (this will force the user to sign in again).
Is there a way I can access/modify session variables set by each logged in user from my administration page?
You can not change a session variable from another session.
One way to solve your problem is to store a list of logged in users in the Application-object, and then change the value in that variable. For this to work you must check at the top of each page that this user is in the list of logged in users.
As çağdaş commented on this answer, performance would probably be better if you store a list of users you want to log out in your application-variable. Then on the top of your page do something like this (pseudo, this actuall code snippet will not work)
if(Application["SuspendedUsers"].Contains(Session["UserID"]) {
Session["IsSignedIn"] = false;
Application["SuspendedUsers"].Remove(Session["UserID"]);
}
Where is your session state stored? If it's in SQL server, you should be able to invalidate it by updating the relevant row in the database. The standard session state server, however, doesn't appear to allow this.
Alternatively, check your database at the top of each relevant page to see if the user still has rights/is authenticated.