CodeProject: Using a Custom Base Class for Security and Session Management. Free source code and programming help

Announcements

	Windows 7 Comp Win a laptop!
	Monthly Competition

Articles

Desktop Development

Web Development

Enterprise Systems

Content Management Server

Microsoft BizTalk Server

SQL Reporting Services

Platforms, Frameworks & Libraries

Windows Communication Foundation

Windows Presentation Foundation

Windows Workflow Foundation

Cryptography & Security

Threads, Processes & IPC

WinHelp / HTMLHelp

Uncategorised Quick Answers

Graphics / Design

Expression

Usability

Development Lifecycle

Debug Tips

Design and Architecture

Uncategorised Technical Blogs

Services

Code-signing Certificates

Job Board

CodeProject VS2008 Addin

Feature Zones

Product Showcase

Code Signing Resources

WhitePapers / Webcasts

ASP.NET Web Hosting

Advanced Search
Add to IE Search

Discuss

Report

5 votes for this article.

Popularity: 2.45 Rating: 3.50 out of 5

Introduction

One of the requirements of the project I work on is that, "the admin should be able to mark a user as inactive, so the user would not be able to access the application anymore even if he is currently logged in". First, I thought that this would not be possible, but later on, I found this graat article by Robert Boedigheimer, which suggested the use of a custom base class, which brought to me an entire new horizon on how to tackle the two most important parts of writing .NET web based applications - security and memory management.

Using the code

Derive your page from the base class. In the code-behind file, use:

public partial class MyImportantPage : CustomBasePage

Thus, your pages will have all the properties of the System.Web.UI.Page class plus those you have defined in your base class. The second advantage of this class is Session management. Let us assume that you have 1 GB of RAM on your Web server. What would happen if you retrieve a couple of datasets per page (1 MB each)? Your Session expiration time is 30 minutes and the number of on-line users is close to 600 ... Well, with those simulated numbers, with the default settings, the IIS will perform a memory cleaning and throw all the users out ...

In reality, most of the variables set as Session variables do not need to be global, but are page-specific... Somebody might argue to use ViewState for those variables - well, watch the performance after setting a dataset with a 1 MB size ... the ViewState should only be used for small variables. Another option is to use the Cache ... My experience is that the Cache is unreliable - you cannot be 100% sure what the client browser will do to your important objects stored, yet your code rules the server ...

When you would like to set a variable which is to be used globally (e.g., the variable will persist through the time of the current session of the user, even if the user leaves the current page), set the variable like so:

string StrGlobalVariable = Session [ "global.StrGlobalVariable" ];

When you would like to use a variable only in the scope of the page (e.g., the variable will be deleted once the user requests a different page), set the variable as follows:

string StrPageVariable = Session [ base.PageName + ".PageVariable" ] ;

So, here is the code (read the comments carefully):

using System;
using System.Collections;
using System.Configuration;
using System.Data;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Collections.Generic;
using System.Text;

//SOURCE:http://aspalliance.com/63
//AUTHOR:Robert Boedigheimer
//page life cycle http://msdn.microsoft.com/en-us/library/ms178472.aspx

public class CustomBasePage : System.Web.UI.Page
{
 private string pageName;
#region Properties

    /// <summary>
    /// Each page should "know" its name
    /// </summary>
    public string PageName
    {
        get
        {
            return System.IO.Path.GetFileNameWithoutExtension (
                   System.Web.HttpContext.Current.Request.Url.AbsolutePath );
        } //eof get
        set { pageName = value; } //eof set
    } //eof property MyPageName

    #endregion //Properties


  public CustomBasePage ()
  {
  }

  override protected void OnInit ( EventArgs e )
  {
   base.OnInit ( e );
   #region Introduction
   string msg;
   string baseDir;
   string pageName;
  #endregion //Introduction


 #region Instantiation
  pageName = System.IO.Path.GetFileNameWithoutExtension (
             System.Web.HttpContext.Current.Request.Url.AbsolutePath );

//Utils.Debugger.WriteIf ( pageName + "            OnInit --- Start " );
//ucomment this to debug each page after the login
        //Utils.Debugger.DebugPage ( this.Page );

        
        if (HttpContext.Current.Session != null)
        {

            //Tested and the IsNewSession is more advanced then simply checking if 
            // a cookie is present, it does take into account a session timeout, because 
            // I tested a timeout and it did show as a new session
            if (HttpContext.Current.Session.IsNewSession)
            {
                // If it says it is a new session,
                // but an existing cookie exists, then it must 
                // have timed out (can't use the cookie
                // collection because even on first 
                // request it already contains the cookie (request and response
                // seem to share the collection)
                string szCookieHeader = Request.Headers [ "Cookie" ];
                if (( null != szCookieHeader ) &&
                ( szCookieHeader.IndexOf ( "ASP.NET_SessionId" ) >= 0 ))
                {
                    HttpContext.Current.Session [ "global.msg" ] = 
                        " No action has been performed in " + 
                        "the last 15 minutes, please login again";
                    Response.Redirect ( "~/login.aspx" );
                }
            } //eof if (HttpContext.Current.Session.IsNewSession)
        } //eof is Session is not null 



        //comm - if this is not the login page AND 
        if (Session [ "global.LOGINISOK" ] == null || 
            System.Convert.ToString ( 
            Session [ "global.LOGINISOK" ] ).Equals ( "LOGINISOK" ) == false)
        {
            Utils.Debugger.WriteIf ( Session [ "global.Domain_Name" ] + 
            " redirecting to login page !!!: \n" );
            Session [ "global.msg" ]  = 
            "Welcome to the My Application name ! Please, login first ";
            Response.Redirect ( "~/login.aspx" );

        }
        else   //comm --   
        {
            //comm - clear all session variables , 
            //but the global ones and the ones belonging to this page
    ClearAllNonGlobalSessionsButMine ();
        }
    } //eof OnInit



    /// <summary>
    /// This method relies on the convention practice that the Session keys
    /// would be named as follows:
    /// pageName.variableName - if the Session variable is page specific and 
    /// global.variableName - if the Session variable should be trully global
    /// </summary>
    private void ClearAllNonGlobalSessionsButMine ()
    {
        string fileNameNoExt = System.IO.Path.GetFileNameWithoutExtension (
                 System.Web.HttpContext.Current.Request.Url.AbsolutePath );

        for (int i = 0; i< HttpContext.Current.Session.Count; i++)
        {
            string keyValue = HttpContext.Current.Session.Keys [ i ];
            if (keyValue.Contains ( fileNameNoExt ) || keyValue.Contains ( "global" ))
            { ; }        //do nothing = preserve the value in the session 
            else
            {
              //answers the question: what session
              //variables are deleted during page change
              HttpContext.Current.Session [ HttpContext.Current.Session.Keys [ i ] ] = null;
            } //eof else if it is global or belongs to current page
        } //eof loop 

    } //eof public static void ClearAllButCurrent (string pageName )  

public void ClearAllNonGlobalSessionsAndMine ()
{
string fileNameNoExt = System.IO.Path.GetFileNameWithoutExtension (
                                System.Web.HttpContext.Current.Request.Url.AbsolutePath );

  for (int i = 0; i< HttpContext.Current.Session.Count; i++)
  {
  string keyValue = HttpContext.Current.Session.Keys [ i ];
  if (keyValue.Contains ( "global" ))
  { ; }  //do nothing = preserve the value in the session 
  else
  {
  //answers the question: what session variables are deleted during page change
  HttpContext.Current.Session [ HttpContext.Current.Session.Keys [ i ] ] = null;
} //eof else if it is global or belongs to current page
} //eof loop 

} //eof public static void ClearAllButCurrent (string pageName )  


} //eof BasePageClass

I almost noticed, you wandered what the DebugPage method is. Here it is:

using System;
using System.Text.RegularExpressions;
using System.Data;
using System.Web.UI.WebControls;

namespace Utils
    {
    /// <summary>
    /// Summary description for Utils.Debugger
    /// </summary>
    public class Debugger

public static void DebugPage ( System.Web.UI.Page page )
{

string baseDirLocal = System.Web.HttpContext.Current.Server.MapPath ( "~" );
Regex Remover = new Regex ( @"^.*(\\|\/)(.*)$",
RegexOptions.IgnoreCase | RegexOptions.Compiled );
string bareDir = Remover.Replace (  baseDirLocal , "$2" );


string strToRemoveAtEnd= System.Web.HttpContext.Current.Request.Url.AbsolutePath;
char [] charsToRemoveAtEnd = strToRemoveAtEnd.ToCharArray ();
string baseDir = System.Web.HttpContext.Current.Request.Url.AbsoluteUri;
baseDir = baseDir.TrimEnd ( charsToRemoveAtEnd );
baseDir = baseDir + "/" + bareDir + "/";



WriteIf("The basedir of the project locally is " +  
        "HttpContext.Current.Server.MapPath(\"~/\");" +
        System.Web.HttpContext.Current.Server.MapPath ( "~" ) );

WriteIf ( "The basedir of the project locally is " + 
          "AppDomain.CurrentDomain.BaseDirectory;" + 
          AppDomain.CurrentDomain.BaseDirectory);

WriteIf ( "The virtual path of this page " + 
          "( System.Web.HttpContext.Current.Request.PathInfo) is " + 
          System.Web.HttpContext.Current.Request.PathInfo ) ;

WriteIf ( "System.IO.Path.GetFileName (" + 
          " System.Web.HttpContext.Current.Request.Url.AbsolutePath ) -- " + 
          System.IO.Path.GetFileName ( 
          System.Web.HttpContext.Current.Request.Url.AbsolutePath ) );
WriteIf ( "System.Web.HttpContext.Current.Request.Url.AbsolutePath -- " + 
          System.Web.HttpContext.Current.Request.Url.AbsolutePath );
WriteIf ( "System.Web.HttpContext.Current.Request.Url.AbsoluteUri -- " + 
          System.Web.HttpContext.Current.Request.Url.AbsoluteUri );
WriteIf ( "System.Web.HttpContext.Current.Request.Url.DnsSafeHost -- " + 
          System.Web.HttpContext.Current.Request.Url.DnsSafeHost );
WriteIf ( "System.Web.HttpContext.Current.Request.Url.Fragment -- " + 
          System.Web.HttpContext.Current.Request.Url.Fragment );
WriteIf ( "System.Web.HttpContext.Current.Request.Url.Host -- " + 
          System.Web.HttpContext.Current.Request.Url.Host ) ; 
WriteIf ( "System.Web.HttpContext.Current.Request.Url.HostNameType -- " + 
          System.Web.HttpContext.Current.Request.Url.HostNameType ) ;
WriteIf ( "System.Web.HttpContext.Current.Request.Url.LocalPath -- " + 
          System.Web.HttpContext.Current.Request.Url.LocalPath ) ;
WriteIf ( "System.Web.HttpContext.Current.Request.Url.OriginalString -- " + 
          System.Web.HttpContext.Current.Request.Url.OriginalString ) ;
WriteIf ( "System.Web.HttpContext.Current.Request.Url.PathAndQuery -- " + 
          System.Web.HttpContext.Current.Request.Url.PathAndQuery ) ;
WriteIf ( "System.Web.HttpContext.Current.Request.Url.Scheme -- " + 
          System.Web.HttpContext.Current.Request.Url.Scheme ) ;
WriteIf ( "System.Web.HttpContext.Current.Request.Url.Segments.ToString () -- " + 
          System.Web.HttpContext.Current.Request.Url.Segments.ToString () );
WriteIf ( "System.Web.HttpContext.Current.Request.Url.UserInfo -- " + 
          System.Web.HttpContext.Current.Request.Url.UserInfo );
WriteIf ( "System.Web.HttpContext.Current.Request.ServerVariables[ \"HTTP_COOKIE\" ] is " + 
          System.Web.HttpContext.Current.Request.ServerVariables [ "HTTP_COOKIE" ] );

} //eof DebugPage

        public static void WriteIf ( string msg )
        {
  System.Diagnostics.Debug.WriteIf ( System.Convert.ToBoolean
    ( System.Configuration.ConfigurationSettings.AppSettings [ "Debugging" ] ) ,
  DateTime.Now.ToString ( "yyyy:MM:dd -- hh:mm:ss.fff --- " ) + msg + "\n" );
        }
} //eof class Debugger 
} //eof namespace  Utils

Points of interest

If you have carefully read the code, now you know where to put your code for implementing the requirement I presented above. If you are still having difficulties figuring out, put a comment below, and I will spare more time for writing an article about it ...

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

yordan_georgiev

Member

I work in OXIT - a small IT consulting company, which has participated in the building of the most sophisticated IT Systems for several big Finnish and international companies (including Fortune 500 members) and continues to provide highly sophisticated IT Solutions to its customers.

I enjoy designing and implementing software or small scripts in different programming languages.

I am fascinated by the magic of software, which has the power to change the world.

Occupation:	Web Developer
Company:	Oxit Oy
Location:	Finland

Other popular ASP.NET articles:

Multiple File Upload With Progress Bar Using Flash and ASP.NET
How to use Flash to upload multiple files in a medium-trust hosting environment
CAPTCHA Image
Using CAPTCHA images to prevent automated form submission.
Exploring Session in ASP.Net
This article describe about session in ASP.Net 2.0 . Different Types of Session , There Configuration . Also describe Session on Web Farm , Load balancer , web garden etc.
10 ASP.NET Performance and Scalability Secrets
10 easy ways to make ASP.NET and AJAX websites faster, more scalable and support more traffic at lower cost
Paging of Large Resultsets in ASP.NET
An article about optimization and performance testing of MS SQL Server 2000 stored procedures used for paging of large resultsets in ASP.NET

Article Top

You must Sign In to use this message board.

FAQ
Noise Tolerance Layout Per page

Msgs 1 to 17 of 17 (Total in Forum: 17) (Refresh)

FirstPrevNext

How to open web page with several tabs in browser using sap.net 2.0

gunasundari

0:14 31 Oct '09

Hi, I need, how to open a same webpage url with paramerters to multiple tabs and for this how to handle session programattically using asp.net 2.0.. Thanks, Guna Sundari.
Sign In·View Thread·PermaLink

Thank You (and one small request)

forCryingOutLoud

12:10 21 May '09

First, thank you for an absolutely fantastic article! However, I am just getting started in programming, and need to do this in classic ASP without .NET code-behind type stuff. I think it should still run on my IIS server, which has .NET installed, but as in-line VBScript, right? Do I keep the "public" and all other code the same? Thanks so much, Paul
Sign In·View Thread·PermaLink

Re: Thank You (and one small request)

yordan_georgiev

15:30 21 May '09

Sorry cannot help you - do not have classic ASP experience ... my advice - this is the wrong article if you are dealing with classic ASP. It is one thing to know what to want, second to really want it, third to know how to do it, fourth to be skillful to do it, fifth to actually do it and last but not least to not regret after doing it
Sign In·View Thread·PermaLink

Method for testing for timed out session is incomplete

ccady

10:55 19 Nov '08

The code above to test for whether a session is timed out is the same as what we use. We just recently found a bug in it. The problem is that you may have 2 applications on the same server. So if you are logged into the first application [http://example.com/] and then navigate to the other application [http://example.com/membersonly/] IsNewSession will be true, and you will have a cookie with "ASP.NET_SessionId" in it, so the code above will think that you've timed out, even though that is not really the case.

We've not solved the problem in a nice way yet. If we do, we'll post here. (We have a nasty, custom solution, involving setting our own special cookies all the time.) The code above works fine if you do not have multiple applications on your server.

5.00/5 (1 vote)

Re: Method for testing for timed out session is incomplete

yordan_georgiev

2:31 20 Nov '08

Thanks for the comment !!! I have not really stumble upon that even that we use also different versions of the application on different virtual folders ... It depends also pretty much also what happens on your Login / logout page(s) ... Could you specify a bit what you mean by two applications ... I would suggest to use some kind of labeling in the Session collection such as this "global.global variable" so that if app1 you would go trough "app1.global.globalVariables" and in app2 "app2.global.globalVariables" ... thus you would have to implement the logic that app2 trusts app1 and not vice versa ... I am really just shooting in the dark here ... Anyway as you pointed out for such an requirement it probably will not work ... Please give us a hint of what your solution is going to be ...

It is one thing to know what to want, second to really want it, third to know how to do it, fourth to be skillful to do it, fifth to actually do it and last but not least to not regret after doing it

multiple tabs

dbwinger

3:20 23 Jun '08

This will work most of the time, except when a user has multiple pages from your application open with only one session. For example:

What if a user navigates to the same page on two (or more) tabs in the same browser. The user shares the same session on both pages. If the user navigates away to a different page (still in your application) on one of the tabs, the session values specific to the first page will be cleared, and the other tab which is still on that page will not have the session values it expects to have. I've struggle with this problem and haven't found a way to store page-specific values in Session and safely clean them up before the user's Session ends.

5.00/5 (1 vote)

Re: multiple tabs

Mike Ellison

4:07 23 Jun '08

dbwinger wrote:
What if a user navigates to the same page on two (or more) tabs in the same browser. The user shares the same session on both pages. If the user navigates away to a different page (still in your application) on one of the tabs, the session values specific to the first page will be cleared, and the other tab which is still on that page will not have the session values it expects to have.

Okay, what about an architecture that uses an attribute to mark pages, something like UsesSessionVariable, like this:


[UsesSessionVariable("SomeSessionName")]
partial class MyPage
{
  ...
}

So if two pages share the same variables, they could be marked with the same attribute?

Re: multiple tabs

dbwinger

4:12 23 Jun '08

Mike Ellison wrote:
So if two pages share the same variables, they could be marked with the same attribute?

Actually, the situation I mentioned comes up because of having the same page open twice (such as with a browser tabs). When you leave one "instance" of the page, it will clear the session values used by that page. But the other "instance" is left still on the first page, for which session values have now been cleared. If we now postback on the second instance, and it expects page-specific session variables to be there, they won't.

If you use session in this way, it should work just fine as long as users know they're not allowed to have your application open in multiple tabs of the same browser - thereby sharing the same session.

Re: multiple tabs

yordan_georgiev

21:52 25 Jun '08

Hi,

Another idea ( compromise ) might be to put a small list (stack ) with the last 3 ( n amount ) of opened pages for this user ... -- so delete those variables which do not belong to the latest 3 ( n amount of pages )

It is one thing to know what to want, second to really want it, third to know how to do it, fourth to be skillful to do it, fifth to actually do it and last but not least to not regret after doing it

Re: multiple tabs

dbwinger

3:13 26 Jun '08

I don't think that's much of a help. In my previous example, say the user navigates from the first "instance" of the page to 3 new pages, then the session values for the first page are still erased. Then the user goes back and tries to do something on the other "instance" of the first page and there's problems. Depending how the user is using your web site, this compromise might not really add any value.

Re: multiple tabs [modified]

yordan_georgiev

8:58 23 Jun '08

Hi,

You are absolutely correct. Usually for most of the users one tab is enough. In order to prevent this from happening there should be some JavaScript AJAX solution, I 've read once something about ... but never bothered to implement it ... if a more clever person knows how ... let him speak Wink

Anyway I quess JavaScript , AJAX cookie reader , which "knows" the current page and "knows" the current session id should pass the info to this BaseClass ... - this might be the first shooting in the dark for a beginning ...

modified on Thursday, May 21, 2009 8:32 PM

Re: multiple tabs

star65225692

0:57 24 Jun '08

good~~ http://www.netcsharp.cn/forumindex.aspx[^]
Sign In·View Thread·PermaLink

A different type of though.

Rajib Ahmed

7:28 22 Jun '08

Nice article. Rajib Ahmed ProgTalk - Share your articles, opinion, and thoughts.
Sign In·View Thread·PermaLink

How about an HttpModule?

Mike Ellison

5:56 22 Jun '08

I wonder if you couldn't accomplish the same thing in an HttpModule, rather than a custom base page? I'm thinking for cases in which you are already inheriting from a custom base page.
Sign In·View Thread·PermaLink

Re: How about an HttpModule? [modified]

yordan_georgiev

20:59 22 Jun '08

Hi,

Thanks for reply ...

Yep, this is rather an unorthodox way ... I guess the same functionalities can be implemented with HttpModule also:
http://www.codeproject.com/KB/aspnet/SessionEndStatePersister.aspx[^]

HttpModule approach might be better also for server farm environment ...

I guess the real benefit of this type of "non-standard" solutions is the security - "non-standard" , when well implemented is harder to hack ...

If this is "well implemented " of course depends on your comments ; )

Yet the feature of "global" and "page" specifig variables with Memory cleaning cannot be implemented with the HttpModule - if somebody argues the opposite , please let him show the solution ...

modified on Monday, June 23, 2008 2:05 AM

Re: How about an HttpModule?

Mike Ellison

4:11 23 Jun '08

yordan_georgiev wrote:
Yet the feature of "global" and "page" specifig variables with Memory cleaning cannot be implemented with the HttpModule - if somebody argues the opposite , please let him show the solution ...

I'm not sure why it couldn't work in an HttpModule. You would be using HttpContext.Current.Session to get to the current user's session, right? Why couldn't that be done in a module?

Re: How about an HttpModule?

yordan_georgiev

21:29 23 Jun '08

Uff ... Correct. I have not tried it .. yet. If you figure out exactly how please share the solution !
Sign In·View Thread·PermaLink

Last Visit: 2:27 21 Nov '09 Last Update: 2:27 21 Nov '09

General News Question Answer Joke Rant Admin

PermaLink | Privacy | Terms of Use
Last Updated: 21 Jun 2008
Editor: Smitha Vijayan