Re: Session data loss during user logged session

On Aug 15, 9:22 am, peprom <pep...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Hello

I am developing web application, which is a part of IT project. In my web
app Administrators can add end-users of this project. My web app is at the
end of development process (it is on beta tests now) and it is my first
asp.net project.
I am using asp.net 2.0, SqlServer Enterprise and asp.net ajax framework 1.0
(to make my site modern)
I am using forms authentication method in my login page. After Administrator
succesfully logged in (I am using FormsAuthenticationTicket to save some
information such as user role , then I am going to encrypt this information
using FormsAuthentication.Encrypt() method and finally I am going to save it
in Cookie.Value), he is going to choose one of he is profile - he can got few
profiles (I am saving this information simple in Session.Add method, and then
checks state of this values and current User.IsInRole method every Page_Loads
events). In conclusion - we have encrypted ticket with some values and
session state of previously choosen profile.
Yesterday I have unexpected encountered this strange situation. After
succesfully authorization I have made some operations, then I have pressed
back button om my page (which calls Response.Redirect(Default.aspx)) method
and suddendly discovered that I have pretended to another logged in user (my
page is on tests and probably a few people were working in same time as me).
I was logged in as another user (I have lost my ticket and session and get
session and ticket of another user)!!

I think it's a bug somewhere in the code, check again how you
authenticate the users.

In general, if you store FormsAuthenticationTicket in a cookies then
you don't need to use the Session object.
In global.asax create a new Generic Principal Instance, add the roles
and assign to current user

protected void Application_OnAuthenticateRequest(Object src, EventArgs
e)
{
HttpContext currentContext = HttpContext.Current;
if (HttpContext.Current.User != null)
{
if (HttpContext.Current.User.Identity.IsAuthenticated)
{
if( HttpContext.Current.User.Identity is FormsIdentity )
{
FormsIdentity id = HttpContext.Current.User.Identity as
FormsIdentity;
FormsAuthenticationTicket ticket = id.Ticket;
string userData = ticket.UserData;
// Roles is a helper class which places the roles of the
// currently logged on user into a string array
// accessable via the value property.
Roles userRoles = new Roles(userData);
HttpContext.Current.User = new GenericPrincipal(id,
userRoles.Value);
}
}
}
}

More info can be found here
http://msdn2.microsoft.com/en-us/library/Aa289844(VS.80).aspx

Hope this helps

.