CodeCharge Studio
search Register Login  

Visual PHP Web Development

Visually Create Internationalized Web Applications, Web Reports, Calendars, and more.
CodeCharge.com

YesSoftware Forums -> CodeCharge Studio -> ASP.NET - InMotion Framework

 Session timeout vs restricted pages

Print topic Send  topic

Author Message
AndyGB4

Posts: 121
Posted: 05/27/2015, 12:16 PM

Hi, I'm having a strange problem that is really bothering me.

As you all know, when logging into a CodeCharge application,
3 sessions (UserID, UserLogin & GroupID) are automatically generated.

On a restricted page, I use these settings to display certain information.

My issue is this:

After a certain amount of time, those 3 sessions are lost, but I am still logged in, and able to view restricted pages.

I know that I am still logged in, because I have a test page with the code:

HttpContext.Current.User.Identity.IsAuthenticated

And it returns "True".

There's 2 ways to go about this... I can either find a way to make the Session variables stay forever, or, when the Session vars are lost, I can force a logout. I guess I'd prefer making the sessions last forever, but either solution would be viable for me.

Side Note:
When I checked the IIS, it says the Sessions should last 2 hours, but they definitely do not last that long. Something is losing them much earlier than that.

Thanks,
- Andrew

View profile  Send private message
robertmann

Posts: 103
Posted: 05/27/2015, 9:45 PM

Not sure if had the same problem but I often lose the login after republishing the application and basically after it recompiles itself.
To check if the user is logged in you may want to check the value of HttpContext.Current.Session["UserID"] in the page's After Initialize Event.
Maybe something like this would work (not tested):
  
if (HttpContext.Current.Session["UserID"] == null || HttpContext.Current.Session["UserID"] =="") {  
  Response.Redirect("Login.aspx");  
}  

To login the user indefinitely you may want to save the user id in a cookie (encrypted if the system is public and less secure).
This could be a bit more complex, but CCS should be doing the same via the "Remember Me" feature.
Did you enable to the "Remember Me" feature in CCS security settings?

_________________
Robert
View profile  Send private message
cvboucher

Posts: 189
Posted: 05/28/2015, 10:38 AM

I've stopped relying on session variables in my ASP.Net InMotion apps. The ASP.Net InMotion projects use both forms based authentication and session variables (https://support.microsoft.com/en-us/kb/301240). Forms Authentication has a timeout that is set in the web.config and session variables have a timeout that is set in IIS. When these two are different you get what you are seeing. When you need the UserID or Group, you can join your User table and filter it using HttpContext.Current.User.Identity.Name. I've also created a small .dll in Visual Studio with some static methods that return the current user id or group.

Another option that doesn't require hitting the database every time you need the user id or group is to create your own Forms Authentication ticket and store this information in the UserData field (http://stackoverflow.com/questions/7217105/how-can-i-manually-create-a-authentication-cookie-instead-of-the-default-method).

HTH,
Craig
View profile  Send private message
AndyGB4

Posts: 121
Posted: 05/29/2015, 6:28 AM

Thanks guys,

I'm definitely going to give these solutions a try.
View profile  Send private message
AndyGB4

Posts: 121
Posted: 05/29/2015, 9:55 AM

Hi guys,

I tried removing the sessions, and am now using HttpContext.Current.User.Identity.Name to lookup whatever values I need in the Users table, and it seems to be working well.

But I have a question:
CodeCharge uses the GroupID Session variable to decide who is allowed to view which pages.
So when the Sessions are lost, even though a person is logged in, they might not be able to access certain pages.
I haven't encountered this yet, so perhaps I'll test out that theory first, but if that really is what happens,
what's the best way to go about it?

I don't really want to have to create an entire Privilege system. Maybe I can modify some file to use the new way instead of looking for the GroupID Session?

Thanks!
View profile  Send private message
cvboucher

Posts: 189
Posted: 05/29/2015, 2:46 PM

I didn't think about the GroupID being used that way. I've started rolling my own security on the pages. A work around could be to add some code in the Application_BeginRequest method of Global.asax (under Common Files) to check if HttpContext.Current.User.Identity.IsAuthenticated and the GroupID session variable is null, then get the user record and populate the session variable.

I use this same method to redirect to ssl if it isn't a secure connection.

If Not Request.IsSecureConnection Then  
   Response.Redirect(Request.Url.AbsoluteUri.Replace("http://", "https://"))  
End If

Craig
View profile  Send private message
AndyGB4

Posts: 121
Posted: 06/04/2015, 10:35 AM

That's a great idea. I'll definitely be trying that out.

As for the original problem, I've gone through my entire site and adapted it to stop relying on Sessions, and to use the HttpContext.Current.User.Identity.Name, and its working great.

View profile  Send private message
Tuong Do
Posted: 06/15/2015, 11:19 PM

Hi Andy,

In the file

App_Code\InMotion\Web\MTPage.cs

At line 569

Change the text

if (Restricted && !UserRights.AllowRead)

To

If (Restricted && string.IsNullOrEmpty(InMotion.Security.Utility.UserId))

Then it will auto redirect you to the login page when the Sesstion is
timeout





"AndyGB4" wrote in messagenews:34556618296f39c@news.codecharge.com...

Hi, I'm having a strange problem that is really bothering me.

As you all know, when logging into a CodeCharge application,
3 sessions (UserID, UserLogin & GroupID) are automatically generated.

On a restricted page, I use these settings to display certain information.

My issue is this:

After a certain amount of time, those 3 sessions are lost, but I am still
logged in, and able to view restricted pages.

I know that I am still logged in, because I have a test page with the code:

HttpContext.Current.User.Identity.IsAuthenticated

And it returns "True".

There's 2 ways to go about this... I can either find a way to make the
Session
variables stay forever, or, when the Session vars are lost, I can force a
logout. I guess I'd prefer making the sessions last forever, but either
solution would be viable for me.

Side Note:
When I checked the IIS, it says the Sessions should last 2 hours, but they
definitely do not last that long. Something is losing them much earlier than
that.

Thanks,
- Andrew


---------------------------------------
Sent from YesSoftware forum
http://forums.yessoftware.com/

Add new topic Subscribe to topic   


These are Community Forums for users to exchange information.
If you would like to obtain technical product help please visit http://support.yessoftware.com.

Web Database

Join thousands of Web developers who build Web applications with minimal coding.
CodeCharge.com

Home   |    Search   |    Members   |    Register   |    Login


Powered by UltraApps Forum created with CodeCharge Studio
Copyright 2003-2004 by UltraApps.com  and YesSoftware, Inc.