I have created an asp.net application in which i have used global.asax. I have created a static class which stores user information such as LoginID, CompanyID etc using properties. A property IsLoggedIn indicates whether user logged in or not. I have created a method ResetAll() within the same class to reset those properties.
The problem is that if the user directly closes the browser window without logging off the property values are not resetted. Therefore if the user opens a new browser window, the user is logged in automatically. I have also called ResetAll() within from Session_End() but still it is not working. Could someone explain me whats wrong with that or simply how to reset the property values if the user directly closes the browser window.
If I am reading this correctly and you have a class with static members, then you are going to run into issues. With an ASP.NET web app, static members are static for the entire AppDomain, not just for an individual user, so the values would be the same no matter where the request has come from.
It sounds like what you really need to think about doing is storing an instance of the user information class in the session. That way the information is specific to that particular user. Also, that should solve your issue as the session cookie is normally removed when the browser window is closed, forcing a new session when the browser window is re-opened.
So something like:
Dim thisUser As New UserInformation()
thisUser.LoginID = someValue
Session("UserInformation") = thisUser
You cannot make the class static. Worse than keeping the user logged in across sessions is the fact you cannot have multiple users in your system. They will all share the same login information. You should read about static.
What you want is to store an instance of that class in the session and access it whenever you need.
Related
I am using ABP framework with MVC 5 and deployed into Azure. I have listed few session related questions below.
I used HttpContext.Current.Session in WebMpa project and AbpSession in Application services, but unable to get the data from AbpSession using HttpContext.Current.Session in WebMpa project, both are saving data in different place?
Am using static helper class and static property to Get/Set HttpContext.Current.Session value, if i want to remove the HttpContext.Current.Session any easiest way is available(with minimal code change), it could be better if we can get AbpSession from that static class?
I want to alert users 20 secs prior to session expired, is there any build in option available in ABP?
If I enable to Redis Cache implementation in my application, Cache, HttpContext.Current.Session, AbpSession and TempData will works without any issues and all should Get/Set values from Redis datasource?
AbpSession is not extending HttpContext.Current.Session. So the answer is yes you cannot share data btw AbpSession and Session.
Don't use static for injectable types. bad practise!
There's no built-in function for that. You can achieve this with a javascript function. When you finish a request, start timer. You know the session timeout duration. So when it reaches to 20secs, show an alert window to continue session. If answer is Yes then make a new request to slide session.
No! As i stated, Session and AbpSession is totally different things and you cannot share btw them.
PS: AbpSession stores claims. And it's extendable. So you can store any item in AbpSession. See the link to understand how to extend AbpSession https://gist.github.com/hikalkan/67469e05475c2d18cb88
When you set up a ColdFusion session inside of a application.cfm or application.cfc file you can define a sessionTimeout like:
<cfapplication name = "appname"
sessionTimeout = #CreateTimeSpan(0, 0, 30, 0)# <!--- 30min timeout --->
sessionManagement = "yes">
I think that a ColdFusion session is 'extended' or 'renewed' every time:
The user navigates to a new ColdFusion Template (a .cfm file)
The user refreshes a Coldfusion Template (a .cfm file)
The user accesses a ColdFusion Component (a .cfc file) in any way, including via ajax calls that run a cffunction in the .cfc file.
In other words, if a user performs any of the actions above (assuming the sessionTimeout is 30 minutes like in the above example) the session will expire 30 minutes from when the action was performed--essentially 'extending' the life of the session to the value of sessionTimeout each time the user performs one of those actions.
Does this understanding sound correct? Are there any actions that 'extend' a ColdFusion session that I'm missing? Do the ones I listed actually behave how I think they behave and 'extend' the session?
Something similar was asked here: Can we renew session in Coldfusion?
What Alex says is true. There is a way of maintaining a session without cookies if you look at the docs. Check out the section Using client and session variables without cookies.
The only other way I can think of extending a session without user intervention would be if you can find the session through SessionTracker. Here's a nice post about it: Advanced ColdFusion Session Management.
In fact, in the comments, it says that if you access the sessions through the built-in java methods, you might extend them:
You might want to note that as soon as you access any sessions through
those methods, you'll update the "lastAccessed" timestamp.
I have following code
cx5_login.asp
Session("Login") = "demo"
cx5_logout.asp :
Session("Login") = ""
Session.Abandon
response.redirect "c5x_login.asp?C5xName=Login"
I want to know if Session.Abandon will remove Session("Login")?
Currenly, I am check for Session("Login") to determinate if the user is login or not.
But it doesn't work.
Scenario:
User login
User logout
I print value from Session("Login") and it's still have value.
I have called Session.Abandon but why Session("Login") still have value?
Is it related with ASPSESSIONID cookie?
I try to remove that cookie manually and it's work.
Any explanation for this?
What Neel say's isn't wrong but it isn't right either, the problem is and constantly tends to be either question askers or people answering confusing Classic ASP with ASP.Net.
If your question is Classic ASP related then when talking about the Session object you need to consider the following.
Session.Abandon() should be used to completely dispose a session including the Session.SessionID.
But there is a cavert;
Quote from the MSDN Library - Session.Abandon()
"When the Abandon method is called, the current Session object is queued for deletion but is not actually deleted until all of the script commands on the current page have been processed. This means that you can access variables stored in the Session object on the same page as the call to the Abandon method but not in any subsequent Web pages."
This means that within the context of the current page your Session is still available, it isn't until you move on to another page that the Session object is actually disposed.
If you don't redirect after your log out page your Session will still be accessible but rest assured that any attempt to access it after leaving that page will fail.
As a test don't automatically redirect after logout but give the users a link to press and see if you get the same behaviour.
When i copy the URL from one browser to paste it in another browser my session data not retrieved it shows "Object reference not set to an instance of an object".
(Please note - this answer assumes you are not already using cookieless sessions)
The way sessions work in ASP.NET is that when you first access a site, a cookie-file is placed in your browsers cookie-store. The cookie contains a session ID, so the next time you access that site from that browser the ID is passed to the web-application and it knows which session-state to load.
However, each browser implements it's own cookie-store, so switching browsers means the site cannot determine your session ID.
One way to get around this is to use cookieless sessions. However, these have a number of issues relating to usability and security, so think long and hard before deciding they are for you.
Another option is to tie together your authorization and session systems. However, this is not generally recommended either.
You will not be able to access session values across multiple browsers.
Also, you should check if the value exists in Session to avoid Server Error.
if(Session["Key"] != null)
{
//Write your code here
}
else
{
//Alternative code (redirection code)
}
I'm using a modified version of Felix Geisendörfer's SimpleAuth/SimpleAcl components that I've combined into a single Component, Simple_Authable.
I changed his startup() function to initialize() to not clutter the beforeFilter function in my app_controller.
One of the things that this component does is check who the active user is and if that user can't be found it either looks him up based on the primary User.id or uses 'guest'. Either way, the component uses $this->Controller->Session->write() to save the active user or guest information.
I'm also using Felix's Authsome plugin instead of the default CakePHP Auth component.
When I'm logging in, the active user is guest, obviously.
After I've submitted the form, the active user is still guest because the component's initialize() function is firing before everything else. Then, the Authsome plugin comes into play and validates my user as "root" and also calls $this->SimpleAuthable->setActiveUser($id, true); to force SimpleAuthable to update the active user information it is storing via $this->Controller->Session; Then I am redirected and my simple Session information and DebugKit's Session tab reflect that I am indeed the root user.
However, when I try to navigate to an 'admin' page, let's say /admin/users/index, lo and behold SimpleAuthable thinks I'm still a 'guest' user because when it performs a $this->Controller->Session->read() call to the key holding my user id, it is getting an empty response, i.e., the data stored on the previous page didn't persist.
Maybe there is something funky happening between Authsome & SimpleAuthable, but things look pretty straightforward and to my mind, $this->Controller->Session should be saving and persisting the data written to it.
So, I'm looking at refactoring all the calls to $this->Controller->Session and replacing them with $this->Session but first I wanted to throw this out to the community and see if anybody has seen anything similar and if so how did they resolve it.
Sincerely,
Christopher.
I found the problem... I'm also using Joshua McNeese's Permissionable plugin and I needed to disable it for the $this->Controller->{$this->userModel}->findById($id); in my SimpleAuthable component when I try to lookup the current active user.
Note to self: I would have caught this faster if I had some unit testing in place :(.