|
|
Comments and Discussions
|
|
 |
|
|
The Session state in any web technology depend on cookie at the client end to store and resend session id back and forth between client browser and web server.
But Asp.net also supports cookieless sessions with the following attribute addition in the web.config within system.web node.
With the above config setting, it carry the session id in the page url instead of cookie.
Please take a look at the following two page's Page_Load method code before we run them in both normal and cookie less mode.
http://www.mindfiresolutions.com/Cookieless-Session-in-ASPNET-562.phpCheers,
Eliza
|
|
|
|
|
Hi Everyone...
I have a problem, maybe this not really hard and complex but need some trick..
Ok then i will explain the problem,
1. I have field for username, password and IS_LOGIN *flag*
2. In the Login Form, user must input the username & password. Everytime user login, It will set field IS_LOGIN to 1 *this is flag for single login machine* so the user cannot login before the Logout.
The problem is because I am using Session Timeout, so when the user not doing anything until the session timeout then "how to set IS_LOGIN back to 0 *Zero*"?? Before the Session going Timeout!
I am using SP to change the field IS_LOGIN...
I really need help for this issue.. Can anybody everyone help me...
Thanks n Regards,
YougyZ
|
|
|
|
|
That's the wrong way, the only changes that you need to make to your application in order to use cookieless session and cookieless authorization are the following:
1. On the web.config, set the authentication to Forms, set the cookieless attribute of the <form> element to UseUri, set loginUrl to the url of your login page, and defaultUrl to your main page or the name of the page where you want to be redirected after loging in (unless you got to the login page by being redirected from a secured page, in that case you will be sent back to the page where you came from), and finally set the sessionState cookieless property to UseUri, all this can be done by simply adding the following lines to the section of your web.config.
<authentication mode="Forms">
<forms cookieless ="UseUri" loginUrl="login.aspx" defaultUrl="default.aspx" />
</authentication>
<sessionState cookieless="UseUri" />
2. On you code you need to modify all your redirects and hyperlinks (unless the hyperlinks are webcontrols from the .NET FCL, those format the url automatically for you). This is as easy as calling Response.ApplyAppPathModifier("~/myvirtualurl.aspx") or Page.ResolveClientUrl("~/myvirtualurl"). It is a good practice to always do this even if you're not using cookieless session or authentication, specially when developing controls or reusable code, that way your code will support cookieless session and authorization without modifications by just changing the web.config file.
3. If you implemented forms authentication correctly using cookies, then those are the only changes required to use cookieless session and authentication, that way both the sessionID and the FormsAuthenticationTicket will be encoded in the url as a folder name. By implementing forms authentication correctly I mean that:
A. you used FormsAuthentication.SetAuthCookie to set the authentication ticket (this method has a very misleading name since it's also used for setting the ticket on the Uri when using cookieless authentication),
B. you used FormsAuthentication.SignOut to remove the ticket, and
C. You used the autherization tags on the web.config to configure what kind of users have access to your page, this needs to be done on tags for individual pages and on the tag for all pages that don't have a tag on the web.config. </form>
|
|
|
|
|
Why cant I just simply use a session variable to store the info ?
On Each page prerender I could easily access that Session Variable
Is this unsecure ?
|
|
|
|
|
|
As I was asking - if you use cookieless where you put the session id into the URL - you are opening the possibility of Session Hijacking as mentioned by dfgdiewocxn . Personally I like playing with those just to see what happens when I do.. Will I see another users cart - or what.. it is nice to play with.
Using cookies is not really the best thing either as you rely on a file that can simply be edited - unless you encrypt your cookies. again - session user information should never be stored in a cookie.. it is just another vulnerability. Especially for those who insist on using public computers.
Storing the variables on the server in a session variable is a bit more secure - as long as you do not use the default AuthASPX user for application level authorization.. otherwise it is possible for someone else using that same name on another application running on the same server to gain access rights ..to see those things you do not want any one else to see.
|
|
|
|
|
what I meant is that if you use regular session the session id is stored in a cookie. As you know those can be modified as easily as the querystring so its not more or less secure.
Also for highjacking a session the way that you mentioned, both apps would need to be on the same website, not just the same server as IIS's website id is also used for matching, besides that you need to guess the session id which is pretty damn hard.
Fernando L Rodriguez, MCPD
|
|
|
|
|
I got a question here. If we keep session Id in URL i.e. exposed to users then I doubt that the user login becomes vonurable to session hijack. Any comment on that would be appreciated.
|
|
|
|
|
can anyone plz help how to transfer cookies from one application to another?
But wid foll constraints:-
Cookie shd expire within 5-10 mins so that any user cannot access the cookie n change it...
U also need to tak care of the fact that one application might have diff system time than other application's system.... So u cannot use aaplication1 systemdate to set expiry time....
Also if possible cookie shd be encrypted using somethin like formauthenticationticket.....
|
|
|
|
|
|
any idea about setting this cookieless thing at runtime? i'd like to serve the response with or without the sessionid embedded in the url based on the browser capability to store cookies.
|
|
|
|
|
Actually, the default settings in ASP.NET will use cookies if the browser supports it, and go cookieless if it doesn't.
|
|
|
|
|
as long as forms authentication is properly implemented
Fernando L Rodriguez, MCPD
|
|
|
|
|
page Refreash in asp.net after few minute on the basis on user code
|
|
|
|
|
Possible security problem with this code. The problem is when you check to see if the current page is the login.aspx page. Say you have a page secure.aspx at www.website.com/secure.aspx and when a user goes to this page you check with this code. The user should be redirected if not logged in, however what if a user does this
www.website.com/secure.aspx?login.aspx would they pass threw? the code thinks that the page is the login.aspx page and lets the secure.aspx page load. I am I wrong?
|
|
|
|
|
You have the login.aspx as part of the request string - the path is not the same thing.
If you were to run a small sample of code from that to get request path and the request string - you would see that the path request is strictly the path and the request is everything after the ?
|
|
|
|
|
Great article, however, trace.axd is bugged now, complaining Sessions are not valid in this context (in Global.Acq ), which is a pity.
Anyone think of a good workaround?
We thought of putting e.g. a check in glob.acq (if not EndsWith(axd) or sthg) but looks a bit ugly.
|
|
|
|
|
Would this method work with web farms?
|
|
|
|
|
I believe it would. Just make sure you abandon InProc session state handling for ServerState or SQLState.
|
|
|
|
|
Well a session is a cookie in reality for the book. The server hands the sessionID around but the difference is the way the cookie works. If there is no path information, it is assumed to be a state cookie and never writes the cookie to the disk. The browser actaully might not even send that or display it as a cookie however its in the headers as a cookie with no expiration or path.
There are bigger issues with this type of state management with sessions. as they can not be correctly handled in a load balanced manner. The will fail unless you set your servers to communicate session state. With high load servers this extra networking traffic is not a good idea.
Beleive it or not Cookies w/paths and expirations are mostlikely the best method to handle large scale sites without placing more load on the server to place more information on the server.
A session actaully sends the session ID around but the server is responible for maintaining the information in the session which now increases your memory usage.
I would take another look at the development docs if I were you.
|
|
|
|
|
Hi dear,
I have a main ASP.NET project in my wwwroot directory in web server.
now I want to create second ASP.NET project in a subdirectory for example wwwroot\subdir\
and also I want to add form based authentication to the second project. as you know I must do
appropriate changes in web.config files and place it in wwwroot\subdir\ directory because I don't
want change my main project web.config file. but when I place web.config file with authentication
in wwwroot\subdir\ directory my second web application doesn't work properly.
\wwwroot\
main web application
main web.config file
\wwwroot\subdir\
second web application
second web.config file
now how can I do this job that my two web.config files don't have conflict with each other?
Thank you in advance.
|
|
|
|
|
|
I have tried using the web.config file below (which is placed in the initial webroot directory of my website) to create a cookieless session.
Unfortunely even the first page (which uses no "session" variables, seems to require session cookies! Could someone tell me what I am doing wrong? Thanks!
Here is my web.config file:
|
|
|
|
|
 A good article!
I used to create sessionid in my SQL Server, and then encrypted it and put it in cookie or pass it as a url parameter. It worked fine.
But now I try to make my software work more close with .NET, so I read a lot of articles about .NET session, but I still have no clear idea how to use it, here is my several questions, hope someone can point out a way for me.
1, Microsoft provide three ways to maintain session data, inproc,session server and sql server, but in my case, I have my own session table, I only need a sessionid, I want to use the asp.net sessionid, the 120bit one, I think in this case, there is no worry about load-balance, inproc is fine to maintain the sessionid when there are several webserver hooked by load-balance, is it true?
2, We want to support users without cookie, so there is a cookieless setting, but it is a setting in web.config, I think most time we will just check if the client side support cookie and then decide we use cookie way or cookieless way, how can we dynamically do that?
3, Suppose I use cookieless, the sessionid will be in the url, I think it is hard to find out what sessionid are currently activated, and it is quite safe just as some people said. But what I should do in this case, I am logged in and browse a site and then I want to share someone with one image on the site, so I just send the image link to the one, and he can see the image, in the same time, he can just take over my session since he get the sessionid from the link I send out. I just think this happens a lot, what is your suggesion to deal with it?
|
|
|
|
|
wyx2000 wrote:
I am logged in and browse a site and then I want to share someone with one image on the site, so I just send the image link to the one, and he can see the image, in the same time, he can just take over my session since he get the sessionid from the link I send out. I just think this happens a lot, what is your suggesion to deal with it?
Here's the solution for the above security issue:
Instead of the following code in your Global_AcquireRequestState ..........
if((string)Session["Authenticated"] != "Name-John")
{
if(!Request.Path.EndsWith("login.aspx"))
{
Response.Redirect("login.aspx");
Response.End();
}
}
try using the following:
if(!Session["IsAuthenticated"].Equals(true))
{
if(!Request.Path.EndsWith("login.aspx"))
{
Response.Redirect("login.aspx");
Response.End();
}
}
else if(!Session["ClientIP"].Equals(Request.UserHostAddress))
{
if(!Request.Path.EndsWith("InvalidSessionState.aspx"))
{
Response.Redirect("InvalidSessionState.aspx");
Response.End();
}
}
Worked for me!!!
UMAPATHI UTTHAMARAJ,
System Analyst,
Peakpoint Technologies, Inc.
MA USA.
|
|
|
|
|
Hi!
Can you solve this problem?:
Do not loose SessionVariables when switching webapplications?
(I have a "FRAME" webapplication, which makes the authentication, menu,
and so on.
I wish to have more modules. These modules are optionally and i wont install all of them.
(possible way 1?)
I have my own SessionHandler wrapper, which can convert Requests into SessionVariables if it is neccessary. But, it seems to be a strange way. (not recommented, i think)
Problem:
i have more frames on clientside.
When i choose from menu (msiewebcontrols.TreeCtrl), i loose Session variables.
I fill up my menu from xml.(possible way?) so it is hard to encode runtime the xml.
so:
what about the same SessionHandleing in different webapplications?
Agyklon
|
|
|
|
|
Dont know what the feeling is here about VB, but I'm stuck with it for the moment.
Anyway, AcquireRequestState doesn't exist in VB.
So, I create a little CS project, with code which accepts the (VB) HttpApplication and EventHandler and adds it as per your code.
Seems to work perfectly, not much testing yet.
You'd think you shoud be able to do it directly in VB!
Am I missing something obvious?
Just to say thanks, in case you still look at this.
|
|
|
|
|
Private Sub Global_AcquireRequestState(ByVal sender As Object, ByVal e As System.EventArgs) Handles MyBase.AcquireRequestState
'Your Code Here
End Sub
|
|
|
|
|
I implemented my security along your guidlines, setting the security mode to none. I'm trying to use HttpContext.Current.User to store a GenericPrincipal object so that I can store a user's name and roles. I can store the object, but when I call Response.Redirect, the object vanishes (HttpContext.Current.User's name and roles become empty). The session is not being abandoned during the page navigation. Why is this happening? If HttpContext.Current.User does not work with "None" authentication, can you tell me where to find an article on cookieless forms authentication?
|
|
|
|
|
http://www.codeproject.com/aspnet/cookieless.asp#xx479923xx
|
|
|
|
|
How says it? MS self has examples to doing it without cookies. 
|
|
|
|
|
Hi,
could you give some link to these examples?
Thanks a lot.
Maras
P.S. Good article
|
|
|
|
|
The problem is that you need to be sure that for every request a parameter will be added to the url. This parameter is a encrypted cookie. And for every request you need to validate the cookie. It's a lot of work.
More or less during login you do the following:
if (customAuthenticate(tbName.Text, tbPwd.Text))
{
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(tbName.Text,false,20);
string strEncrypted = FormsAuthentication.Encrypt(ticket);
string strURL = FormsAuthentication.GetRedirectUrl(tbName.Text,false);
if (strURL.IndexOf("?") == -1)
{
strURL += "?" + FormsAuthentication.FormsCookieName + "=" + strEncrypted;
}
else
{
strURL += "&" + FormsAuthentication.FormsCookieName + "=" + strEncrypted;
}
}
Response.Redirect(strURL);
More you can find here:
http://msdn.microsoft.com/library/en-us/cpref/html/frlrfsystemwebsecurityformsauthenticationticketclasstopic.asp
http://www.dotnethell.it/articles/article.aspx?ArticleID=56 (italian)
|
|
|
|
|
Try this in every pages Page_Load:
Response.Cache.SetCacheability(HttpCacheability.NoCache);
|
|
|
|
|
You say try this - try this to accomplish what ?
Does this just set the cache to empty - what is really being accomplished by doing what you suggest ?
Sefai Tandogan wrote: Try this in every pages Page_Load:
Response.Cache.SetCacheability(HttpCacheability.NoCache);
|
|
|
|
|
Hi I want to do a litte secure site for my own HP so i can put my calender up and so on.
But the account i have at Brinkster.com doesnt allow the global.asax to be used. as well as no forms authentication.
Do you Guys know any other way to do a User Login for my .NET page ?
BTW good article
and the hell with that cookies!!!
|
|
|
|
|
Hi!
If you've read it, and liked/disliked, please vote! It is very important for me to know, whether all this work was useless or not!
Thanks, and have a nice day! 
Sincerely,
Adam (the author)
|
|
|
|
|
Adam,
So far this has worked for me...but I never tried accessing files directly like *.htm. , *.pdf and
those files can be accessed without going thru any authentication...is there a way to protected
access to files other than aspx files.
Thank you,
Richard
|
|
|
|
|
If you want to protect other pages, such as .pdf files, these needed to be added to the Application Mappings in IIS Application Configuration for you web site. IIS -> Web site -> Properties -> Directory -> Configuration -> Mappings. The Executable should be the aspnet_isapi.dll and you can get this form another mapping. You can limit the Verbs to GET, check file exists, etc.
|
|
|
|
|
You have to specify in mashine.config that these file types are also handled by asp.net, otherwise IIS just serves them directly.
Vladimirs
|
|
|
|
|
Hi and Thanks for your qrticle.
What about "Remember Me" in authentication forms?How can I accomplish that?
<html>Mazy</html>
"If I go crazy then will you still
Call me Superman
If I’m alive and well, will you be
There holding my hand
I’ll keep you by my side with
My superhuman might
Kryptonite"Kryptonite-3 Doors Down
|
|
|
|
|
|
Just use the viewstate instead of cookies. Works for me
|
|
|
|
|
How could someone possible send the same valid viewstate after like a day??
Viewstates only valid for sessions. If you keep the session, then you havent logged out. If you dont, you loose viewstate as well...
So, I guess, with this method, it's just not possible...
Sincerely,
Adam
|
|
|
|
|
You can send a valid viewstate whenever you like, regardless of session. Viewstate saves changes between the controls on a page and has nothing to do with session. It does append a MAC code to prevent tampering, but as long as you're on the same machine, you can resend the viewstate.
|
|
|
|
|
The idea is nice, however I doubt you will ever see anything like this done in a enterprise environment because of the security implications. If a user was able to get the Session ID from another because it is visible in the QueryString your security level is easily compromised. Aside from that the article was very well written. Good job.
Nick Parker
|
|
|
|
|
The session ID is visible, but it is a long essentially random string. It would take quite a photographic memory to capture it just at a glance.
If you are talking about capturing the session ID via some mechanical process like snooping the wire, then the Cookie: header is just as visible.
All in all, I don't think this approach is any less secure than the cookie variations on form-based security.
--
-Blake (com/bcdev/blake)
|
|
|
|
|
|
I see many enterprise companies using this technique in tandem with a cookie. If you are using ssl then there should be no problem at all. If you are really worried about security then you should be using ssl.
I can grab any cookie data as well if you are not using ssl. In my mind this is just as secure, if not more, because no data is stored on the client for him/her to play with.
- Justin
|
|
|
|
|
|
|
 General  News  Suggestion  Question  Bug  Answer  Joke  Rant  Admin
|
They say it is not possible to use cookieless forms authentication in .NET. Well it is, and relatively easy to accomplish!
| Type | Article |
| Licence | |
| First Posted | 24 Aug 2002 |
| Views | 382,791 |
| Downloads | 2,662 |
| Bookmarked | 110 times |
|
|
Submit an article or tip
Post your Blog
And there is no other way to get other's session ID.
