Asp.net session id passing more than 1 attribute

Question

1.00/5 (1 vote)

See more:

I have an asp login page connected to sql database. user logs in based on information matching the sql table. I have also got a session functioning. I am i the very early days of my project. so after i log the user in they are redirected to a Dashboard page and i can display their user id which was assigned to the session. The next step is i want to display other attributes from the database table like name and age etc.

so this is the code i have on the login page:

ASP.NET

protected void Button1_Click(object sender, EventArgs e)
{
    try
    {
        string uid = TextBox1.Text;
        string pass = TextBox2.Text;

        myCon.Open();
        string qry = "select userId from users where userId='" + uid + "' and Password='" + pass + "'";
        SqlCommand cmd = new SqlCommand(qry, myCon);
        SqlDataReader sdr = cmd.ExecuteReader();
        if (sdr.Read())
        {
            Session["userId"] = uid.Trim();
            Response.Redirect("Dashboard.aspx");
        }
        else
        {
            Label4.Text = "UserId & Password Is not correct Try again..!!";
        }
        myCon.Close();
    }
    catch(Exception ex){
        Response.Write(ex.Message);
    }
}

On the dashboard page i have the following:

ASP.NET

protected void Page_Load(object sender, EventArgs e)
{
    if (Session["userId"] == null)
        Response.Redirect("Login.aspx");
    SessionLabel.Text = "Username : " + Session["userId"];
}

protected void ButtonLogout_Click(object sender, EventArgs e)
{
    Session.Abandon();
    Response.Redirect("Login.aspx");
}

Can i pass multiple attributes to the sessoin ID? i dont want to open another sql connection on the dashboard page. Can anyone help me with the code? I would like to show user email and full name on the dash board.

thanks

G

What I have tried:

i have tried to pass more than one argument on session but doesn't work.

Posted 19-Mar-24 5:23am

Member 11478798

Updated 19-Mar-24 6:54am

Dave Kreskowiak

v2

Add a Solution

Comments

Richard Deeming 19-Mar-24 11:36am

You have much bigger problems to address before getting to this!

Firstly, your code is vulnerable to SQL Injection[^]. NEVER use string concatenation/interpolation to build a SQL query. ALWAYS use a parameterized query.

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]

Richard Deeming 19-Mar-24 11:37am

Secondly, you are storing your users' passwords in plain text. Don't do that!

Store a salted hash of the password, using a unique salt per record, and using multiple iterations of a cryptographically-secure one-way hash algorithm.

Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]

Richard Deeming 19-Mar-24 11:39am

But you need to ask yourself why you are re-inventing the wheel.

ASP.NET has several perfectly good authentication systems built-in - for example, ASP.NET Identity[^]

Use that instead, and save yourself a lot of work, and a massive fine if your horribly-insecure code ever makes it to a production site.

Richard Deeming 19-Mar-24 11:50am

Oh, and some lower-impact issues like:

* Don't store database connection objects in class-level fields; instead, create them when required, and dispose of them as soon as you're finished with them.

* Wrap disposable objects like connections, commands, and data readers in using (...) { ... } blocks to ensure they're always disposed of properly.

* Stop accepting the automatic IDs assigned by the Visual Studio designer, and start giving your controls meaningful IDs. Sure, you might remember what TextBox42 represents now; but when you come back to this code in six months time, you'll be cursing yourself for not taking the time to give the controls meaningful IDs.

Member 11478798 19-Mar-24 11:53am

thank you Richard i will secure as advised

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

mtoha · Answer 1 · 2024-03-19T18:09:00

Yes, you can use Newtonsoft.JsonSerializer. Json.NET - Newtonsoft[^]

Bind your data to one object instance (i.e LoginDataModel), and Serialize string json representation on

LoginDataModel dataSession = new LoginDataModel();
dataSession.Username = "blacky";
dataSession.Division = "Internal";
string output = JsonConvert.SerializeObject(dataSession);

Session["userId"] = output ;

When You want to use the session value, first, get the string. and Deserialize to the object Model (i.e LoginDataModel)