Recyling of sessionID in ASP.NET 2.0

G

Guest

When a new request is made to the server a new session id is issued to the
client (a browser instance). The problem I’m facing is that session id that
is already assigned to a browser instance is getting recycled for another
browser instance by ASP.NET When the client request is sent to Http server,
the available session id’s (that is already present in the pool) are recycled
from the session pool along with the authentication cookie. Again when a new
request was being done, then available session id is passed on to the client
causing Mix-up of sessions.

The formsauthentication ticket (cookie) is also getting recycled along with
the session cookie session.

Forms authentication ticket is issued if the user selects save me option in
login page.
If the user selects save, then the user id is stored in a cookie encrypted
by forms authentication ticket.


Scenario

In multiuser (concurrent mode) situation, this is causing problem, due to
recyle of session id the forms authencition ticket is getting passed to some
other user who is currently using the site, that means “user z†details are
displayed for “user a†who is some other user accessing the site.

Environement; ASP.NET 2.0, IIS6.0/2003 SERVER.

Please reply if any thoughts
 
P

Patrice

AFAIK the SessionID string in .ASP.NET is basically created from a GUID
value making unlikely (to not say impossible) to reuse a number.

Have you shown the SessionID (add perhaps a session variable to store the
datetime the session started) ? Do you use frames ?
In most cases this is caused by using static (aka shared in VB.NET)
variables making this variable actually shared by all users...

IMO it should be something else that causes this problem.
 
G

Guest

Part of this confusion could arise from the fact that in ASP.NET 2.0, a
Session is not "live" for a user until an actual value is stored in session
state.
So what I would suggest is that as soon as a user comes to your site, Check
to see if Session["test"] is null. If so, set Session["test"]=true;
now you have a live sessiona and something to test against in checking out
your other issues.
Peter
 
B

bruce barker \(sqlwork.com\)

session tickets are only recycled for the same browser. this can cause a
problem on internet cafe browsers, but not with two users on different
computers. if you are seeing the problem from two computers, then its a
coding error on your part. you are probably storing session data in a static
(shared in vb) or in a vb module (all member varibles are static).

-- bruce (sqlwork.com)
 
G

Guest

Hi,

Thanks for your inputs.

Bruce, as u suggested there could be problem because of static
variables(session).
I'm using Login.fnVerify_Login which is a shared function. Is this the
problem??

Kindly advice

Ok let me explain my coding implementation part.

Since I have selected InProc mode for Session State, I’m using global.aspx
for session handling.


‘************* Global.asax file **********

Sub Session_Start(ByVal sender As Object, ByVal e As EventArgs)
' Code that runs when a new session is started

‘Totally I have some 5-6 session variables added here.
‘Only session variables are added here when a new session is intialized.
Session.Add("UserID", "")
Session.Add(“CompNameâ€,â€â€)
End Sub

Sub Session_End(ByVal sender As Object, ByVal e As EventArgs)
' Code that runs when a session ends.
' Note: The Session_End event is raised only when the sessionstate
mode
' is set to InProc in the Web.config file. If session mode is set to
StateServer
' or SQLServer, the event is not raised.
Session("UserID") = Nothing
Session(“CompNameâ€)=Nothing
End sub

'******* Web.config file *********

<?xml version="1.0"?>
<!--
Note: As an alternative to hand editing this file you can use the
web admin tool to configure settings for your application. Use
the Website->Asp.Net Configuration option in Visual Studio.
A full list of settings and comments can be found in
machine.config.comments usually located in
\Windows\Microsoft.Net\Framework\v2.x\Config

<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
-->
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<appSettings>
<add key="testCon" value="Initial Catalog=testwebdb;Data Source=test;User
Id=testdbdb; pwd=test;" />
<add key="PageRecordSize" value="3" />
</appSettings>



<system.web>
<!-- Refer the URL http://support.microsoft.com/kb/317604/ for the below
sessionState

Set compilation debug="true" to insert debugging
symbols into the compiled page. Because this
affects performance, set this value to true only
during development.

Visual Basic options:
Set strict="true" to disallow all data type conversions
where data loss can occzur.
Set explicit="true" to force declaration of all variables.
-->
<globalization enableClientBasedCulture="true" />

<trace enabled="false" pageOutput="false"/>
<compilation debug="false" strict="false" explicit="true"
defaultLanguage="vb"/>
<pages enableViewState="false" validateRequest="false">
<namespaces>
<clear/>
<add namespace="System"/>
<add namespace="System.Collections"/>
<add namespace="System.Collections.Specialized"/>
<add namespace="System.Configuration"/>
<add namespace="System.Text"/>
<add namespace="System.Text.RegularExpressions"/>
<add namespace="System.Web"/>
<add namespace="System.Web.Caching"/>
<add namespace="System.Web.SessionState"/>
<add namespace="System.Web.Security"/>
<add namespace="System.Web.Profile"/>
<add namespace="System.Web.UI"/>
<add namespace="System.Web.UI.WebControls"/>
<add namespace="System.Web.UI.WebControls.WebParts"/>
<add namespace="System.Web.UI.HtmlControls"/>
<add namespace="System.Data"/>
<add namespace="System.Data.OleDb"/>
<add namespace="System.Drawing"/>
<add namespace="System.Net"/>
<add namespace="System.Net.Mail"/>
</namespaces>
</pages>
<!--
The <authentication> section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
-->
<authentication mode="Forms">
<forms loginUrl="login.aspx" timeout="25" name="sqlAuthCookie" />
</authentication>
<authorization>
<!--<deny users="?" />-->
<allow users="*" />
</authorization>
<!--
The <customErrors> section enables configuration
of what to do if/when an unhandled error occurs
during the execution of a request. Specifically,
it enables developers to configure html error pages
to be displayed in place of a error stack trace.
-->
Custom errors handled in global.asax file
<customErrors mode ="On" defaultRedirect ="\Errpage.aspx"/>

<sessionState
mode="InProc"
cookieless="false"
stateConnectionString="tcpip=127.0.0.1:42424"
sqlConnectionString="data source=127.0.0.1;user id=;password="
timeout="20"/>

</system.web>
</configuration>
'******* end of web.config file.*****


I have a login page where user inputs UserID & Password, when the page is
submitted a submit event handler is called like given below.


Private Sub btnSubmit_Click(ByVal sender As Object, ByVal e As
System.EventArgs) Handles btnSubmit.Click

Page.Validate()
If Login.fnVerify_Login(Server.HtmlEncode(txtUserName.Text),
Server.HtmlEncode(txtPassword.Text), chkID.Checked.ToString) Then

HttpContext.Current.Session.Item("UserID") =
txtUserName.Text.ToString
‘ other code follows here

End if

End sub
‘ Session variable added in Session_Start is assigned a value in the above
event.

‘the above event also calls Login.fnVerify_Login function. The following is
the definition of that function.

‘calls clsLogin.fnVerify_Login is a shared function. Is this the problem??

Public Shared Function fnVerify_Login(ByVal UserID As String, ByVal UserPwd
As String, ByVal SaveMe As String) As Boolean

Dim oCmd As New SqlCommand
Dim SqlParamID As New SqlParameter
Dim SqlParamPWD As New SqlParameter
Dim SqlConn As SqlConnection
Dim SqlDataReader As SqlDataReader

SqlConn = cCls.DBConnect()

oCmd.CommandText = "dbo.WS_Select_LoginDetails"
oCmd.Connection = SqlConn
oCmd.CommandType = CommandType.StoredProcedure

SqlParamID = oCmd.Parameters.Add("@i_UserID", SqlDbType.Char)
SqlParamID.Value = UserID

SqlDataReader = oCmd.ExecuteReader
If (SqlDataReader.Read) Then


Dim dbPasswordHash As String = SqlDataReader.GetString(3)
Dim salt As String = SqlDataReader.GetString(4)

Dim passwordAndSalt As String = String.Concat(UserPwd, salt)

Dim hashedPasswordAndSalt As String
hashedPasswordAndSalt =
FormsAuthentication.HashPasswordForStoringInConfigFile(passwordAndSalt,
"SHA1")

'--------- work normally, check done by formsauthentication
encryption.
If hashedPasswordAndSalt.Equals(dbPasswordHash) Then
HttpContext.Current.Session.Item("CompName") =
SqlDataReader.Item("CompName").ToString
fnVerify_Login = True
Else
fnVerify_Login = False
End If
End If

End If

If SqlConn.State = ConnectionState.Open Then
SqlConn.Close()
SqlConn.Dispose()
End If
End Function
 
G

Guest

Patrice,

I dont use Frames, but web Usercontrols are used instead. Yes shared
variables can cause this problem. Thanks for your input. I have posted back
my threaded reply below explaining my coding implementation.
 
G

Guest

Peter,

Thanks for your inputs.

let me explain my coding implementation part.

Since I have selected InProc mode for Session State, I’m using global.aspx
for session handling.


‘************* Global.asax file **********

Sub Session_Start(ByVal sender As Object, ByVal e As EventArgs)
' Code that runs when a new session is started

‘Totally I have some 5-6 session variables added here.
‘Only session variables are added here when a new session is intialized.
Session.Add("UserID", "")
Session.Add(“CompNameâ€,â€â€)
End Sub

Sub Session_End(ByVal sender As Object, ByVal e As EventArgs)
' Code that runs when a session ends.
' Note: The Session_End event is raised only when the sessionstate
mode
' is set to InProc in the Web.config file. If session mode is set to
StateServer
' or SQLServer, the event is not raised.
Session("UserID") = Nothing
Session(“CompNameâ€)=Nothing
End sub

'******* Web.config file *********

<?xml version="1.0"?>
<!--
Note: As an alternative to hand editing this file you can use the
web admin tool to configure settings for your application. Use
the Website->Asp.Net Configuration option in Visual Studio.
A full list of settings and comments can be found in
machine.config.comments usually located in
\Windows\Microsoft.Net\Framework\v2.x\Config

<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
-->
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<appSettings>
<add key="testCon" value="Initial Catalog=testwebdb;Data Source=test;User
Id=testdbdb; pwd=test;" />
<add key="PageRecordSize" value="3" />
</appSettings>



<system.web>
<!-- Refer the URL http://support.microsoft.com/kb/317604/ for the below
sessionState

Set compilation debug="true" to insert debugging
symbols into the compiled page. Because this
affects performance, set this value to true only
during development.

Visual Basic options:
Set strict="true" to disallow all data type conversions
where data loss can occzur.
Set explicit="true" to force declaration of all variables.
-->
<globalization enableClientBasedCulture="true" />

<trace enabled="false" pageOutput="false"/>
<compilation debug="false" strict="false" explicit="true"
defaultLanguage="vb"/>
<pages enableViewState="false" validateRequest="false">
<namespaces>
<clear/>
<add namespace="System"/>
<add namespace="System.Collections"/>
<add namespace="System.Collections.Specialized"/>
<add namespace="System.Configuration"/>
<add namespace="System.Text"/>
<add namespace="System.Text.RegularExpressions"/>
<add namespace="System.Web"/>
<add namespace="System.Web.Caching"/>
<add namespace="System.Web.SessionState"/>
<add namespace="System.Web.Security"/>
<add namespace="System.Web.Profile"/>
<add namespace="System.Web.UI"/>
<add namespace="System.Web.UI.WebControls"/>
<add namespace="System.Web.UI.WebControls.WebParts"/>
<add namespace="System.Web.UI.HtmlControls"/>
<add namespace="System.Data"/>
<add namespace="System.Data.OleDb"/>
<add namespace="System.Drawing"/>
<add namespace="System.Net"/>
<add namespace="System.Net.Mail"/>
</namespaces>
</pages>
<!--
The <authentication> section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
-->
<authentication mode="Forms">
<forms loginUrl="login.aspx" timeout="25" name="sqlAuthCookie" />
</authentication>
<authorization>
<!--<deny users="?" />-->
<allow users="*" />
</authorization>
<!--
The <customErrors> section enables configuration
of what to do if/when an unhandled error occurs
during the execution of a request. Specifically,
it enables developers to configure html error pages
to be displayed in place of a error stack trace.
-->
Custom errors handled in global.asax file
<customErrors mode ="On" defaultRedirect ="\Errpage.aspx"/>

<sessionState
mode="InProc"
cookieless="false"
stateConnectionString="tcpip=127.0.0.1:42424"
sqlConnectionString="data source=127.0.0.1;user id=;password="
timeout="20"/>

</system.web>
</configuration>
'******* end of web.config file.*****


I have a login page where user inputs UserID & Password, when the page is
submitted a submit event handler is called like given below.


Private Sub btnSubmit_Click(ByVal sender As Object, ByVal e As
System.EventArgs) Handles btnSubmit.Click

Page.Validate()
If Login.fnVerify_Login(Server.HtmlEncode(txtUserName.Text),
Server.HtmlEncode(txtPassword.Text), chkID.Checked.ToString) Then

HttpContext.Current.Session.Item("UserID") =
txtUserName.Text.ToString
‘ other code follows here

End if

End sub
‘ Session variable added in Session_Start is assigned a value in the above
event.

‘the above event also calls Login.fnVerify_Login function. The following is
the definition of that function.

‘calls clsLogin.fnVerify_Login is a shared function. Is this the problem??

Public Shared Function fnVerify_Login(ByVal UserID As String, ByVal UserPwd
As String, ByVal SaveMe As String) As Boolean

Dim oCmd As New SqlCommand
Dim SqlParamID As New SqlParameter
Dim SqlParamPWD As New SqlParameter
Dim SqlConn As SqlConnection
Dim SqlDataReader As SqlDataReader

SqlConn = cCls.DBConnect()

oCmd.CommandText = "dbo.WS_Select_LoginDetails"
oCmd.Connection = SqlConn
oCmd.CommandType = CommandType.StoredProcedure

SqlParamID = oCmd.Parameters.Add("@i_UserID", SqlDbType.Char)
SqlParamID.Value = UserID

SqlDataReader = oCmd.ExecuteReader
If (SqlDataReader.Read) Then


Dim dbPasswordHash As String = SqlDataReader.GetString(3)
Dim salt As String = SqlDataReader.GetString(4)

Dim passwordAndSalt As String = String.Concat(UserPwd, salt)

Dim hashedPasswordAndSalt As String
hashedPasswordAndSalt =
FormsAuthentication.HashPasswordForStoringInConfigFile(passwordAndSalt,
"SHA1")

'--------- work normally, check done by formsauthentication
encryption.
If hashedPasswordAndSalt.Equals(dbPasswordHash) Then
HttpContext.Current.Session.Item("CompName") =
SqlDataReader.Item("CompName").ToString
fnVerify_Login = True
Else
fnVerify_Login = False
End If
End If

End If

If SqlConn.State = ConnectionState.Open Then
SqlConn.Close()
SqlConn.Dispose()
End If
End Function








Peter Bromberg said:
Part of this confusion could arise from the fact that in ASP.NET 2.0, a
Session is not "live" for a user until an actual value is stored in session
state.
So what I would suggest is that as soon as a user comes to your site, Check
to see if Session["test"] is null. If so, set Session["test"]=true;
now you have a live sessiona and something to test against in checking out
your other issues.
Peter

--
Co-founder, Eggheadcafe.com developer portal:
http://www.eggheadcafe.com
UnBlog:
http://petesbloggerama.blogspot.com




Ibrahim. said:
When a new request is made to the server a new session id is issued to the
client (a browser instance). The problem I’m facing is that session id that
is already assigned to a browser instance is getting recycled for another
browser instance by ASP.NET When the client request is sent to Http server,
the available session id’s (that is already present in the pool) are recycled
from the session pool along with the authentication cookie. Again when a new
request was being done, then available session id is passed on to the client
causing Mix-up of sessions.

The formsauthentication ticket (cookie) is also getting recycled along with
the session cookie session.

Forms authentication ticket is issued if the user selects save me option in
login page.
If the user selects save, then the user id is stored in a cookie encrypted
by forms authentication ticket.


Scenario

In multiuser (concurrent mode) situation, this is causing problem, due to
recyle of session id the forms authencition ticket is getting passed to some
other user who is currently using the site, that means “user z†details are
displayed for “user a†who is some other user accessing the site.

Environement; ASP.NET 2.0, IIS6.0/2003 SERVER.

Please reply if any thoughts
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Recyling of sessionID in ASP.NET 2.0 1
ASP.Net [2.0] - SessionID 7
Tabbed Browsing and SessionID 4
How to retrive payment result value after secure paytabs payment done in PayTabs payment gateway in asp.net 0
sessionId is reused after calling session.abandon 4
Redirecting in ASP.NET 2.0 0
Asp.net Important Topics. 0
SessionID Changing 'In Flight!" 0

Members online

Total: 79 (members: 1, guests: 78)
Robots: 477

Forum statistics

Threads
473,992
Messages
2,570,220
Members
46,805
Latest member
ClydeHeld1

Latest Threads

Top