Click here to Skip to main content
12,457,259 members (54,897 online)
Rate this:
 
Please Sign up or sign in to vote.
See more: C# VB ASP.NET VB.NET
Hi,

I am using session for my pre and post login like below,

// Login Page Code..

protected void page_onload(object sender, eventargs e)
{
   if(string.IsNullOrEmpty(Convert.Tostring(session["LoginId"])))
        session["LoginId"] = "Guest";
}
 

protected void page_btnLogin_Click(object sender, eventargs e)
{
   session["LoginId"] = "SomeUserId";
   response.redirect("PostloginPageURL");
}
 
// Post login Page Code..

protected void page_onload(object sender, eventargs e)
{
   if(!string.Equals(Convert.Tostring(session["LoginId"]),"SomeUserId"))
       response.redirect("loginPageURL");
   else
      //Fetch some code...
}

Above if you see, i am using same session to manage both my pre and post login. This may lead to session hijacking by using the session id.

So after a long time search i came to a conclution that one need to change the sessionId, because both pre and post login session has same sessionid.

Again doing some search i got the code of creating new sessionid as below
protected void page_btnLogin_Click(object sender, eventargs e)
{
   session.Abandon();
   Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
   session["LoginId"] = "SomeUserId";
}

Above code is successful in generating new sessionid.
But i am unable to retrieve my saved value. i.e I am unable to get value of session on the other page.

I tried
all below:

Removed session.Abandon(); and checked ---> FAILED
Tried response.redirect("MyUrl",false) ---> FAILED
Tried Server.transfer("MyUrl") ---> FAILED

Valid answers are appreciated.

Thank you.
Posted 15-Sep-11 0:18am
Comments
Sazzad Hossain 7-Oct-11 6:09am
   
could u pls explain why would u keep current user id in session? If you do forms authenticaion then the HttpContext.User will hold the user id anyway. That way would will not have to care with current session. When anyone signs out, u can just call Session.Clear..
Rate this: bad
 
good
Please Sign up or sign in to vote.

Solution 3

This will regenerate your session ID and keeping the session data intact Smile | :) Try it out!

void RegenerateId()
{
    var manager = new SessionIDManager();
    string oldId = manager.GetSessionID(Context);
    string newId = manager.CreateSessionID(Context);
    bool isAdd, isRedir;
    manager.SaveSessionID(Context, newId, out isRedir, out isAdd);
    var ctx = HttpContext.Current.ApplicationInstance;
    HttpModuleCollection mods = ctx.Modules;
    var ssm = (SessionStateModule)mods.Get("Session");
    var fields = ssm.GetType().GetFields(BindingFlags.NonPublic | BindingFlags.Instance);
    SessionStateStoreProviderBase store = null;
    FieldInfo rqIdField = null;
    FieldInfo rqLockIdField = null;
    FieldInfo rqStateNotFoundField = null;
    foreach (var field in fields)
    {
        if (field.Name.Equals("_store")) store = (SessionStateStoreProviderBase)field.GetValue(ssm);
        if (field.Name.Equals("_rqId")) rqIdField = field;
        if (field.Name.Equals("_rqLockId")) rqLockIdField = field;
        if (field.Name.Equals("_rqSessionStateNotFound")) rqStateNotFoundField = field;
    }
    object lockId = rqLockIdField.GetValue(ssm);
    if ((lockId != null) && (oldId != null)) store.ReleaseItemExclusive(Context, oldId, lockId);
    rqStateNotFoundField.SetValue(ssm, true);
    rqIdField.SetValue(ssm, newId);
}
  Permalink  
Comments
Md. Rashim uddin 16-Sep-11 5:58am
   
This might work...Good work
senthilkumar 79 18-Feb-15 8:00am
   
It Works.. Thanks
Rate this: bad
 
good
Please Sign up or sign in to vote.

Solution 1

Please have a look on that [^]
  Permalink  
v2
Comments
Muthukumar Nadar 15-Sep-11 9:08am
   
Thank you for putting your valuable time in helping me...

I successfully change the session id. But what i need is, after changing the session id i am setting value to that session. While setting it get set. But when i postback the page the session value is lost.
Rate this: bad
 
good
Please Sign up or sign in to vote.

Solution 2

Hi

You are using some wrong code

upto my knowledge you cannot do both abandon and invoke session variables in same request.b'coz the request is processed based on sessionID i hope you know this .thats y we cannot access that session variable in after dat request eventhough we assign in dat same request

but you can do in different requests like

first abandon the session in one page then redirect to another page
in that page you can invoke your session with another sessionID for post login users
  Permalink  
v2
Comments
Muthukumar Nadar 15-Sep-11 9:10am
   
Thank you for putting your valuable time in helping me...

You are right with the concept.

But is there any way on managing the things.
Can u help me out by giving some tips on how can i overcome Session Hijacking.
Muthukumar Nadar 15-Sep-11 9:20am
   
You must have seen the things which i tried.
I also removed the session.abandon() and i just changed the session id. Then also the value in the session is not saved.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month


Advertise | Privacy | Mobile
Web02 | 2.8.160826.1 | Last Updated 16 Sep 2011
Copyright © CodeProject, 1999-2016
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100