.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Top 5 Contributors of the Month
Gaurav Pal
Post New Web Links

session object security in asp.net 4

Posted By:      Posted Date: August 28, 2010    Points: 0   Category :ASP.Net
hi,So I'm developing a complicated solution where users need to register, on the web application. I'm not going to use asp.net forms authentication because it would be too complicated to make it work in my app. We do not have SSL, it doesnt need to be super secure but the only thing I am worried about is:When the user logins, he is authenticated, then his username is stored in an asp.net session object. Every protected page then check if there is a username, is there isn't he is redirected. Is this secure?Is there a way an attacker can manipulate a session object to have it store a valid username, which will fool the pages to think that user has logged in. Is there any way to make it slightly more secure without hitting too much on performance?All the options I see are all about forms authentication.Thanks so much

View Complete Post

More Related Resource Links

Scripting: Windows Script Host 5.6 Boasts Windows XP Integration, Security, New Object Model


Windows Script Host (WSH) 5.6, a major upgrade for the WSH environment, provides some significant improvements over previous versions. A brand new security model that is tightly integrated with security in Windows XP allows administrators to place fine-grained restrictions on scripts reducing the risk from malicious code. In addition, local scripts can now run on remote machines, and enhancements to the object model reduce the amount of boilerplate code needed when writing professional code. This overview of WSH 5.6 explains these changes and how .NET and scripting work together.

Dino Esposito

MSDN Magazine May 2002

send data in class object from one page to another using session


hello everybody

now i hav stored all data like user name, data fatched from database of that user

and i stored that data and user name such as:

string strUserName="user name"

dataset ds =new dataset();// data of that user

now i wan yo send d whole data from my login page to user profile page

can anybody help me for that...................

and plz tell me that how much is this way is benifitial to send data from one page to another page

plz........kindly waiting for positive rply

Session Object not set to an instance.....

Hello all, Please tell me if I have made a mistake in the following code. It is part of a class that cycles through various conditions to return a value to aspx page. I get null exception when it hits the session variable. I even declared the session variable in global.asax, and thought that I was checking for null value correctly. Obviously I haven'tImports Microsoft.VisualBasic Imports System.Linq Imports System.Web Imports System.Web.Services Imports System.Web.HttpContext Public Class OrderNumber Public Shared Function GetOrderNumber() As String ' ''//Sets OrderNumber if it exists If Not HttpContext.Current.Request.QueryString("OrderNumber") Is Nothing Then Return CType(HttpContext.Current.Request.QueryString("OrderNumber"), String) ElseIf Not HttpContext.Current.Session("OrderNumber") Is Nothing Then Return CType(HttpContext.Current.Session("OrderNumber"), String) ElseIf Not FindExistingOrder() Is Nothing Then Return FindExistingOrder() Else : Return "" End If End Function   Thanks, I am pretty well stumped. Have a good evening.

WCF using ASP .NET Session and Timer object

I've got a WCF service that handles account management for a Silverlight 4 application. It uses PerSession as the InstanceContextMode and Required as the AspNetCompatibilityRequirementsMode so I can use ASP .NET SessionState (Silverlight only supports BasicHttpBinding, which doesn't support WCF sessions). When the client application calls the Login method, the service sets up a System.Timers.Timer object that fires after five minutes. The client calls a KeepAlive method every thirty seconds to let the service know its still alive, KeepAlive resets the timer. The idea is if the user leaves by closing the browser or leaving the page without properly logging out, after five minutes the timer event fires and it's supposed to set some flags in the application's database. This mostly works. The problem is that HttpContext.Current.Session is always null within the timer event. It works fine within the other methods. Since I can't access session, I can't figure out which user it is to perform cleanup. Can I access the Session object? Is there a better way for me to maintain session state while keeping Silverlight compatibility?

page inside update panel doesn't refresh the session object after postback of any control



I have many controls like dropdown, radiobuttonlist, etc on my page and I put all these controls inside the update panel so that the page doesn't look to be posting back when something is selected. Now the working on the page is very smooth. But the session object isn't getting refreshed even if I postback to the server and as a result even if the users are working on the page they are being sent to the login screen after 20 mins.

Is there anyway where I could put all the controls in update panel and still refresh the session after any postback(dropdown selection)

Any help is greatly appreciated.

Thanks in advance

Keep updating Session object with a new List c#


I have a Session object

Session["MyListObjects"] = null;

When a user hits a button I want to creat a List<string> object and add to session object.

Let's say if user hits the button 10 times, I would get 10 List<string> objects and
add to Session["MyListObjects"] and

Finally I want to read all the List<string> objects from the session object.

Please let me know how to do that.

How can I manage session data outside the ASP.Net session object?


I want to be able to persist data across a session but do this outside of the built-in session state object.  Why is a long story that I will not go into here.  I just need to know where I can put data other than in the session object that will persist across the specific session (in memory - I already have a database solotion).


Storing TcpClient object in session



I am experimenting with an asp.net application wherein I do the following things (simplified for the purpose of this discussion):

1. Take user's gmail username/password (don't fret, I am not doing any nasty stuff Wink).

2. Create TcpClient object and connect it to the Gmail's POP email server using the provided username/password.

3. I am going to use this TcpClient object to download mails for the user.

Following is the problem I face:

1. Say I have presented the user with the subject lines of all his emails.

2. Now he clicks one subject line to download the message. (This will create the post-back to the aspx page)

3. When I receive the post back, will I be able to re-use the same TcpClient object which I connected to the POP server, if I store that object as a Session variable?

I doubt the streams associated with the object will not remain valid.

Is this even the right method to achieve what I am trying to achieve?



Session time-out : object reference not set to an instance...


I noticed that when i am debugging my web application in Visual Studio 2005 using IIS, after about 10-15 minutes of inactivity, when I do something in the application such as a postback, I get an immediate error saying: "object reference not set to an instance" and my code breaks somewhere.

Is my assumption correct that this is because my session has timed out? ( i do have a 15 minute default session time)

my next question is, how do I display or set a way so that like many other pages, when the session has expired, a message will say: "This page must be refreshed" or "Your session has expired, click okay to refresh page" and start over again?


Access property of object as session variable as declarative datasource parameter value


I am storing a custom "Organisation" object as a session variable. One of the properties of  the Organisation object is "OrganisationID" (integer).

I have a DataSource that requires a parameter value to run, and I want to use a SessionParameter to populate this. In a previous version, I stored the OrganisationID directly as a session variable. In that case, I could easily access it like this:

<asp:SqlDataSource ID="SqlDataSource1" runat="server" 
    SelectCommand="spGetUserJobList" SelectCommandType="StoredProcedure">
        <asp:SessionParameter Name="OrganisationID" SessionField="OrganisationID" Type="Int32" />

However, how do I now access the OrganisationID property of an "Organisation" type session variable (called "Organisation")?

 I have tried this, which does not seem to work:

<asp:SessionParameter Name="OrganisationID" SessionField="Organisation.OrganisationID" Type="Int32" />


Is there a way to access the Session object during the Session_End event?


I've tried, but all of my Session variables are coming up as Nothing when the Session_End event is run.  I'm trying to update log files to reflect that a session either timed out or was abandoned, but I'm not having any luck.  Has anyone else done something like this before?  If so, how?  At the very least, I'd like to be able to log the SessionID.

Suggestions are welcome!

No Session object?? (XP, IIS5.1)


We installed a web site on a developer's system (me, actually) which web site has been installed on six or seven Server 2003 systems. As the subject says, my system is XP, running IIS 5.1. The problem is that the Session object seems to be missing. Certainly, the stuff we store in there, one perfectly normal string, can't be found by any of the pieces of the website that want it. (It get's stored in the login script. It's the name the user logged in with.)

We've tried both SQLServer and StateServer with the same results. When using SQL, the SQL Profiler shows activity against the SQLState database (TempSessions table). So something is being stored, but nobody can find it. (And I can't see from the SQL Profiler just what's being stored. The SessionItemShort field is being updated, but I can't tell with what.)

My task with this web site is to add some web services, so I tried dumping out the Session from the HttpContext object in the WebMethod. There wasn't one. A NULL reference. Now I'm calling the web service from code on the client. I do send the Session_ID with the call to the web service. If I didn't, the Membership API wouldn't let me in.

So, two questions:

1. Should the Session object be delivered to the web service? Why is it null?

2. Why is the Session object either not present or no

Can I Assign class object to session variable?


Hi all, i have a class Emp and whether it is possible to save the object of this class in a session?

And after creating the session with object how can i store it in state service and how can i use the object from session??

thanks in advance...

Business Object properties and Session Variable



I'm having trouble getting the properties of a Business Object between pages.  Right now on the main page's button click event, I instantiate a Business Object, assign its properties with user inputs, store it in Session Variable and open a popup via window.open.  On the popup I retrieve the Session variable and cast it to the business object and try to access its properties.

However in the popup Page_Load event, all the properties of the business object is returned as null.  I have no problem using this method with simple strings/integers instead ot the business object.  I'm not sure how to go about this, any suggestions?

Here's my code example:

// Button click event in main page        
protected void btnViewReport_Click(object sender, EventArgs e)
            ReportObj auditReport = new ReportObj();
            auditReport.PropA = 1;
            auditReport.PropB = "hello";
            auditReport.PropC = DateTime.Now;
            auditReport.PropD = new int[] {1,3,10,87,23};

Set an instance Session object



When im running unit testing no an action in the homecontroller i get the following error: 

"Test method WhatsForLunch.Tests.Controllers.HomeControllerTest.Test_Index threw exception: System.NullReferenceException: Object reference not set to an instance of an object."

I know what is causing the error, which is the Session object that i set false and null

 at application start and is further used to track user and hold user information when a user is logged in.

How do i set the object to an instance so that i can perfrom unit testing to the action??



thx in Advance

Can a user's session and their security ticket expire at different times?


Hi there,

If a user's security ticket and session state are configured to expire after twenty minutes, is it possible that one could go before the other? So for example, a user could have access to a protected web page but their sessions has been lost?

Cheers, WT.

Thinking about new C# method prototypes: object as dictionary

I recently had to write a small Flickr API. I know many .Net API for Flickr already exist but I needed one for a Silverlight application. Whatever, it's only about building some querystrings so I did it by myself. It's been an opportunity to think again about a classical question: how to pass parameters to a method ?

Imagine you have a generic method to call some Flickr functions.
ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend