AndyGB4
Posts: 122
|
| Posted: 05/27/2015, 12:16 PM |
|
Hi, I'm having a strange problem that is really bothering me.
As you all know, when logging into a CodeCharge application,
3 sessions (UserID, UserLogin & GroupID) are automatically generated.
On a restricted page, I use these settings to display certain information.
My issue is this:
After a certain amount of time, those 3 sessions are lost, but I am still logged in, and able to view restricted pages.
I know that I am still logged in, because I have a test page with the code:
HttpContext.Current.User.Identity.IsAuthenticated
And it returns "True".
There's 2 ways to go about this... I can either find a way to make the Session variables stay forever, or, when the Session vars are lost, I can force a logout. I guess I'd prefer making the sessions last forever, but either solution would be viable for me.
Side Note:
When I checked the IIS, it says the Sessions should last 2 hours, but they definitely do not last that long. Something is losing them much earlier than that.
Thanks,
- Andrew
|
 |
 |
robertmann
Posts: 109
|
| Posted: 05/27/2015, 9:45 PM |
|
Not sure if had the same problem but I often lose the login after republishing the application and basically after it recompiles itself.
To check if the user is logged in you may want to check the value of HttpContext.Current.Session["UserID"] in the page's After Initialize Event.
Maybe something like this would work (not tested):
if (HttpContext.Current.Session["UserID"] == null || HttpContext.Current.Session["UserID"] =="") {
Response.Redirect("Login.aspx");
}
To login the user indefinitely you may want to save the user id in a cookie (encrypted if the system is public and less secure).
This could be a bit more complex, but CCS should be doing the same via the "Remember Me" feature.
Did you enable to the "Remember Me" feature in CCS security settings?
_________________
Robert |
|
|
|
cvboucher
Posts: 191
|
| Posted: 05/28/2015, 10:38 AM |
|
I've stopped relying on session variables in my ASP.Net InMotion apps. The ASP.Net InMotion projects use both forms based authentication and session variables (https://support.microsoft.com/en-us/kb/301240). Forms Authentication has a timeout that is set in the web.config and session variables have a timeout that is set in IIS. When these two are different you get what you are seeing. When you need the UserID or Group, you can join your User table and filter it using HttpContext.Current.User.Identity.Name. I've also created a small .dll in Visual Studio with some static methods that return the current user id or group.
Another option that doesn't require hitting the database every time you need the user id or group is to create your own Forms Authentication ticket and store this information in the UserData field (http://stackoverflow.com/questions/7217105/how-can-i-manually-create-a-authentication-cookie-instead-of-the-default-method).
HTH,
Craig
|
|
|
|
AndyGB4
Posts: 122
|
| Posted: 05/29/2015, 6:28 AM |
|
Thanks guys,
I'm definitely going to give these solutions a try.
|
|
|
|
AndyGB4
Posts: 122
|
| Posted: 05/29/2015, 9:55 AM |
|
Hi guys,
I tried removing the sessions, and am now using HttpContext.Current.User.Identity.Name to lookup whatever values I need in the Users table, and it seems to be working well.
But I have a question:
CodeCharge uses the GroupID Session variable to decide who is allowed to view which pages.
So when the Sessions are lost, even though a person is logged in, they might not be able to access certain pages.
I haven't encountered this yet, so perhaps I'll test out that theory first, but if that really is what happens,
what's the best way to go about it?
I don't really want to have to create an entire Privilege system. Maybe I can modify some file to use the new way instead of looking for the GroupID Session?
Thanks!
|
|
|
|
cvboucher
Posts: 191
|
| Posted: 05/29/2015, 2:46 PM |
|
I didn't think about the GroupID being used that way. I've started rolling my own security on the pages. A work around could be to add some code in the Application_BeginRequest method of Global.asax (under Common Files) to check if HttpContext.Current.User.Identity.IsAuthenticated and the GroupID session variable is null, then get the user record and populate the session variable.
I use this same method to redirect to ssl if it isn't a secure connection.
If Not Request.IsSecureConnection Then
Response.Redirect(Request.Url.AbsoluteUri.Replace("http://", "https://"))
End If
Craig
|
|
|
|
AndyGB4
Posts: 122
|
| Posted: 06/04/2015, 10:35 AM |
|
That's a great idea. I'll definitely be trying that out.
As for the original problem, I've gone through my entire site and adapted it to stop relying on Sessions, and to use the HttpContext.Current.User.Identity.Name, and its working great.
|
|
|
|
Tuong Do
|
| Posted: 06/15/2015, 11:19 PM |
|
Hi Andy,
In the file
App_Code\InMotion\Web\MTPage.cs
At line 569
Change the text
if (Restricted && !UserRights.AllowRead)
To
If (Restricted && string.IsNullOrEmpty(InMotion.Security.Utility.UserId))
Then it will auto redirect you to the login page when the Sesstion is
timeout
"AndyGB4" wrote in messagenews:34556618296f39c@news.codecharge.com...
Hi, I'm having a strange problem that is really bothering me.
As you all know, when logging into a CodeCharge application,
3 sessions (UserID, UserLogin & GroupID) are automatically generated.
On a restricted page, I use these settings to display certain information.
My issue is this:
After a certain amount of time, those 3 sessions are lost, but I am still
logged in, and able to view restricted pages.
I know that I am still logged in, because I have a test page with the code:
HttpContext.Current.User.Identity.IsAuthenticated
And it returns "True".
There's 2 ways to go about this... I can either find a way to make the
Session
variables stay forever, or, when the Session vars are lost, I can force a
logout. I guess I'd prefer making the sessions last forever, but either
solution would be viable for me.
Side Note:
When I checked the IIS, it says the Sessions should last 2 hours, but they
definitely do not last that long. Something is losing them much earlier than
that.
Thanks,
- Andrew
---------------------------------------
Sent from YesSoftware forum
http://forums.yessoftware.com/
|
|
|
|
|
