Session data loss during user logged session

[peprom]

Hello

I am developing web application, which is a part of IT project. In my web
app Administrators can add end-users of this project. My web app is at the
end of development process (it is on beta tests now) and it is my first
asp.net project.
I am using asp.net 2.0, SqlServer Enterprise and asp.net ajax framework 1.0
(to make my site modern)
I am using forms authentication method in my login page. After Administrator
succesfully logged in (I am using FormsAuthenticationTicket to save some
information such as user role , then I am going to encrypt this information
using FormsAuthentication.Encrypt() method and finally I am going to save it
in Cookie.Value), he is going to choose one of he is profile - he can got few
profiles (I am saving this information simple in Session.Add method, and then
checks state of this values and current User.IsInRole method every Page_Loads
events). In conclusion - we have encrypted ticket with some values and
session state of previously choosen profile.
Yesterday I have unexpected encountered this strange situation. After
succesfully authorization I have made some operations, then I have pressed
back button om my page (which calls Response.Redirect(Default.aspx)) method
and suddendly discovered that I have pretended to another logged in user (my
page is on tests and probably a few people were working in same time as me).
I was logged in as another user (I have lost my ticket and session and get
session and ticket of another user)!!This situation is frigtened for me. I
prefer program to crash and send some strange error information than
situation above.
This situation has never happened to me on local machine and probably can
happen when 10 or more people are working at the same time.
For me - this situation shouldn't take place - logged in users should be in
separate threads for iis server and can't cross each other.
I don't know what to do. I can limit number of connections to small number
(I think this is the fastest method) but I don't know how it deals with ajax.
I would like to avoid situation when logged in users suddendly lost their
sessions according to connection limits.
I would like to ask you for some advices, articles or examples - how to
configure iis for this kind of situation (Sessions etc - I have default
settings), how to deal with logging process (some patterns and practices -
this is my first asp.net project).
I don't know reason of this situation - maybe Session is too large (I am
collecting in session state data from database to make google like suggests
for textbox), maybe ajax and the asynchronous calls make this strange
situation (I am using UpdatePanel control in my page - every control in my
page are inside UpdatePanel).
Maybe Ajax Framework (1.0 version) can't deal properly with big number of
active sessions..
Thanks in advance

 

[Guest]

Hello

I am developing web application, which is a part of IT project. In my web
app Administrators can add end-users of this project. My web app is at the
end of development process (it is on beta tests now) and it is my first
asp.net project.
I am using asp.net 2.0, SqlServer Enterprise and asp.net ajax framework 1.0
(to make my site modern)
I am using forms authentication method in my login page. After Administrator
succesfully logged in (I am using FormsAuthenticationTicket to save some
information such as user role , then I am going to encrypt this information
using FormsAuthentication.Encrypt() method and finally I am going to save it
in Cookie.Value), he is going to choose one of he is profile - he can got few
profiles (I am saving this information simple in Session.Add method, and then
checks state of this values and current User.IsInRole method every Page_Loads
events). In conclusion - we have encrypted ticket with some values and
session state of previously choosen profile.
Yesterday I have unexpected encountered this strange situation. After
succesfully authorization I have made some operations, then I have pressed
back button om my page (which calls Response.Redirect(Default.aspx)) method
and suddendly discovered that I have pretended to another logged in user (my
page is on tests and probably a few people were working in same time as me).
I was logged in as another user (I have lost my ticket and session and get
session and ticket of another user)!!

I think it's a bug somewhere in the code, check again how you
authenticate the users.

In general, if you store FormsAuthenticationTicket in a cookies then
you don't need to use the Session object.
In global.asax create a new Generic Principal Instance, add the roles
and assign to current user

protected void Application_OnAuthenticateRequest(Object src, EventArgs
e)
{
HttpContext currentContext = HttpContext.Current;
if (HttpContext.Current.User != null)
{
if (HttpContext.Current.User.Identity.IsAuthenticated)
{
if( HttpContext.Current.User.Identity is FormsIdentity )
{
FormsIdentity id = HttpContext.Current.User.Identity as
FormsIdentity;
FormsAuthenticationTicket ticket = id.Ticket;
string userData = ticket.UserData;
// Roles is a helper class which places the roles of the
// currently logged on user into a string array
// accessable via the value property.
Roles userRoles = new Roles(userData);
HttpContext.Current.User = new GenericPrincipal(id,
userRoles.Value);
}
}
}
}

More info can be found here
http://msdn2.microsoft.com/en-us/library/Aa289844(VS.80).aspx

Hope this helps

 

[peprom]

Hello

First of all, thanks for your immediate answer. I have done some tests of my
app (with visual studio team suite) and made load test. During the test
(where computer simply was logging in, view some things, logging out etc) I
have turned on the browser and tried to works. I have collected the above
error but I have made heave sigh of relief when I discovered, that no ticket
is getting from another user but some session variables only.
My end user, after succesfull authorization, choose one thing from
radiobutton (this value is stored in session) and on page UserName is visible
(loginname web control).
When the test lasts, sometimes I collected LoginName of the user who was
authorizing in load test, but when I made some request, my user name changed
to correct user name and I was able to work only with privileges of currently
logged in user.
But this situation is strange .. My Loginname Control gets Username of
another user, which is currently performs some operations (automated by the
load test) ..
I have changed my session settings to store in sql server..
It seems that Some values of another Session Collection (of another user)
are going inside my current Session Collection and temporary (until next
request) replace it
Or maybe it is the ajax feature/issue and I should madke page reload.. I
don't know - this situation appears only when the number of currently logged
users increase.
My current session settings are: SqlServerMode, timeout 20, cookieless false
Maybe I should decrease timeout ? My FormsAuthenticationTicet is set to 20
minutes and I don't know it is good setting.
Maybe I should add some code inside OnSessionStart Event inside Global.asax
file, but what should I add ?
Maybe I should check some on preInit event of page life cycle ?
Any advice ?
Thanks

 

[Navneet khehra]

Hello Sir
i have just read ur blog its really vry helpful...i am also vry new to .net i made 1 project in asp.net using c#...bt m having 1 problem m using session variables to carry out some values throughout the project bt there is 1 problem coz of session variables timeout page has been expired...please sir give me ur valuable suggestions...thanx... m waiting fr ur response