ASP.Net [2.0] - SessionID

[Rob Meade]

Hi all,

I've just put some code together (cobbled is a phrase I like to use) - to
handle a secure login to a web based application.

It's not exactly rocket science, a session is created, its ID and user ID
are written to the database, each page that requires authentication checks
to see if there is a current identity (ie a session already) and if so then
tries to match that to the one in the database - if everythings ok - great -
more on - if not - redirect to the login page.

Now - here's the thing...

I was expecting the Session.SessionID to be unique, not only when a new
window is opened, but if the current session is killed off (using
Session.Clear / Session.Abandon) - however - it doesn't appear to be -
therefore its not entirely impossible to get logged back in when the details
match etc..

For example - I log in...my Session.SessionID in browser 1 is :
k2xmyl3fwinxrh45hyp30qbk

I open a second browser and login and my Session.SessionID in browser 2 is:
hqbzk4555ivl2ez0nlophy55

Both of these have been written to my database with my user ID (1), now,
when I then hit the database and change the UserID to 2 (ie, causing a no
match) I'm prompt to log in (because the UserID / Session.SessionID didn't
match) - but when I log in again I am given the same Session.SessionID as I
had originally?!

Can anyone advise as to whether it's possible to generate a new
Session.SessionID - as I said I was expecting this to have happened
automatically having used "Abandon" etc when logging out, or when there is
no match (I have a little Session killing off function etc)..

Any help would be most appreciated,

Regards

Rob

 

[clintonG]

What a waste of time. ASP.NET 2.0 manages logins using Membership, Roles,
and Profiles. Spend more time with the documentation Rob.

<%= Clinton Gallagher
NET csgallagher AT metromilwaukee.com
URL http://www.metromilwaukee.com/clintongallagher/

 

[Ray Booysen]

Hi Clinton

Each to their own. There might be a solution built in but not to
everyone's taste. Have you tried using the built-in profiles system to
perform queries on thousands of users without retrieving every user?
Its not fun.

 

[Brock Allen]

Each to their own. There might be a solution built in but not to

everyone's taste. Have you tried using the built-in profiles system
to perform queries on thousands of users without retrieving every
user? Its not fun.

I think your complaint here is the storage format the default profile provider
uses. You should consider using a different provider (or write your own)
to store the data the way you'd prefer it. Google for "Table Profile Provider"
for a sample.

 

[Ray Booysen]

I realise, I was merely pointing out that a solution to one person
doesn't mean its a solution to everyone. Calling someone's work a waste
of time because he/she wanted to manage the login details themselves
isn't the way to handle that sort of question.

 

[Rob Meade]

...

Calling someone's work a waste of time because he/she wanted to manage the
login details themselves isn't the way to handle that sort of question.

Thank you.

For what's it worth - I've not read "the" documentation for .net 2.0,
neither did I for 1.1 or 1.0 - instead I just refer to parts of it when I
get stuck, but more often than not find myself asking a question in a group
like this first because typically there's a really wide audience level for
these groups, and you'll often get more than one suggestion on how to
resolve the problem - I find that useful to see other ideas so that I can
either use one of them, or bits from each or whatever - it helps me learn.

Being new to .net 2.0 I would even have known about a login/profile
thingy-ma-jig in it anyway - so unless I stumbled over some review of it I'm
unlikely to have found it.

Since posting, I've found that it seems better to use a generated GUID than
the Session.SessionID - something that would have been helpful to have known
previously, but I found an article online that mentions that the
Session.SessionID wasn't unique - that was basically the answer to my
question.

On using pre-built functionality - if I always use other people work, code,
examples etc I'll never really learn how to do those bits of the code
myself, whilst I appreciate it can save time, this could be wasted in the
future if it all goes, tits up and I spend 3 weeks trying to figure out
whats happening. I dont suppose anyone has ever written anything that's one
hundred percent perfect, with no vulnerabilities etc.

Thanks to all for the replies, nice to see a conversation spin out of my
thread if little else )

Regards

Rob

 

[clintonG]

Rob et. al., another point to be cognizant of is how many of us seem to be
carrying across our thought processes when "scripting" was the way we
developed web applications. Now that is not to say the use of the framework
classes may not do things the same way from time to time but the
implementations are abstracted away from us leaving the developer to be more
productive. Less time is wasted on rudimentary building blocks. Time after
all is of the essence is it not?

It seems to me there are two types of web development behavior models. There
is the "think-do-think" and there is the "do-think-do." Rob "confesses" a
preference for the do-think-do. Don't we all from time to time? Which is
best is always a contextual issue though ainna?

As for me, I vacilate from one to the other like anybody else but after all
is said and done I am left with one simple question. "Do I want to waste my
time doing things my way, the way I think they should be or could be done or
do I want to learn from others who have come before me to adopt what have
come to be called "best practices?"

And yes, Ray, I have tried using the built-in profiles system to perform
queries which is why I thank Brock -- again -- for bringing the search term
"Table Profile Provider" to your attention the same way he did for me just
last week Ray. The same way I brought the search terms "Membership, Roles,
and Profiles" to the attention of Rob so he doesn't have to waste his time
anymore.

--
<%= Clinton Gallagher
NET csgallagher AT metromilwaukee.com
URL http://www.metromilwaukee.com/clintongallagher/

 

[Yanis]

Hi Rob, hey I have the exact same problem, so how does this GUID works? can you post some eg code please?
Thanks a lot.