Passing values that don't expire 2

[MaryNET]

Hello,
If a user checks the chkPersistCookie check box when logging in, I want
their session to never expire:
(they don't have to Log In next time, and their Session will never expire).

My Question is : I need to pass a few values over to the new page.
But they can't expire (like Session's) because that would be
a problem for user who checked the chkPersistCookie check box.

So if I save a value to a Session: Session["MemberID"] = MemberID;
What is the best way to have that value persist
on the next page : Response.Redirect("MemberPage.aspx", true);


LogIn_Click
........
FormsAuthenticationTicket tkt;
string cookiestr;
HttpCookie ck;

tkt = new FormsAuthenticationTicket(1, "DBMJ", DateTime.Now,
DateTime.Now.AddYears(1), chkPersistCookie.Checked, "your custom data");
cookiestr = FormsAuthentication.Encrypt(tkt);
ck = new HttpCookie(FormsAuthentication.FormsCookieName, cookiestr);

if (chkPersistCookie.Checked)
ck.Expires = tkt.Expiration;
ck.Path = FormsAuthentication.FormsCookiePath;
Response.Cookies.Add(ck);

Session["MemberID"] = MemberID.ToString();

Response.Redirect("MemberPage.aspx", true);


<location path="MemberPage.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>

Thank you

 

[jmeckley]

If a user checks the chkPersistCookie check box when logging in, I want
their session to never expire:
(they don't have to Log In next time, and their Session will never expire).

this is considered a hughe security hole. and it is also counter to website design.

a better model is to use a sliding expiration. this way the current cookie will stay active between sessions as long as the session occur within the expiration period.

there are probally a couple ways to handle session persistance. Note: every option is really a hack on session, becuase by defination session only exists while the request is current.

1. save session values to a cookie
2. save session values to a serialized object and save to file on server
3. save session values to a serialized object and save to a database

when a session is started load the values from storage into session.
when session is about to expire save the values to storage.

just my $.02 but if a user logs in once and never logged off then what the point of the security model? sure you can track "who" made changes, but this isn't really accurate. any person accessing the computer (physically, locally, or remotely) will be precieved as the logged in user.

i wouldn't trust a system if it didn't let me log out.


Jason Meckley
Programmer
Specialty Bakers, Inc.

 

[MaryNET]

Thanks Jason
>> i wouldn't trust a system if it didn't let me log out.

I have a Log Out button .

This is the kind of site that most people will want to
stay logged in (like this site).
I guess storing an ID in a cookie is the best way to
persist the data but I was thinking viewstate too.

 

[jmeckley]

right, but this site will log you out after so many days of inactivity. that's considered a acceptable security model.

viewstate is only in scope between postbacks. once you leave the page and return the viewstate is reset.
viewstate is the biggest hack against web devlopment too. M$ created it to mimic state in a stateless environment. the more info added to viewstate the longer it takes a page to load.

look at the source code of a gridview with 10 or so rows. the viewstate hidden field is usually twice as big as the actual html output.

cookies are only useful for the local box. if they access the site form muitple machines this may create an issue.

your best bet is to serialize and store the data in a database. a distant second option would be to store it to a file on the server.

Jason Meckley
Programmer
Specialty Bakers, Inc.

 

[jbenson001]

Viewstate is fine if used properly, just like session state.

 

[MaryNET]

Is this the best way to use the ViewState in
my particular situation:

public partial class Members

private string MemberID
{
get
{
if (ViewState["MemberID"] == null)
return null;
return ViewState["MemberID"].ToString();
}
set { ViewState["MemberID"] = value; }
}

protected void Page_Load
if (!IsPostBack)
{
if (MemberID == null)
{
if (Session["MemberID"] != null)
{
MemberID = Session["MemberID"].ToString();
}
else
{
Response.Redirect("login.aspx", true);
}
}

Having touble with the logic on this one

 

[jmeckley]

for a simpler model I would use Session_Start method in Global.asax

public void Session_Start(object sender, EventArgs e)
{
   LoadSession();
   RedirectToLogin();
}

private bool LoadSession()
{
   Session["MemberId"] = string.Empty;
   if(CookieExists())  LoadCookieIntoSession();
}

private void LoadCookieIntoSession()
{
   Session["MemberId"] = //get cookie and set value;
}

private void CookieExists()
{
   //validate cookie exists using HttpContext
}

private void RedirectToLogin()
{
   if(string.IsNullOrEmpty(Session["MemberId"])) Server.Transfer("login.aspx");
}

this code only needs to be placed here and it will validate when the user first logs on after their session last expired.

This assumes all pages require validation. so they must first log in before doing anything. if some pages are publicly accessible (anonymous access) then use either the Begin_Request method, to determine if page requires authentication.

let your pages focus on what they are meant to do. (show products, enter post, update quantity.) the page shouldn't be responsible for authentication, that is left to the context.

to take this even one step further you could create your own IIdentity and IPrinciple and load the values into these objects. then you wouldn't need deal with session either. once loaded you could access them via the context

IPrinciple currentUser = HttpContext.Current.User;
IIdentity identity = currentUser.Identity;

after saying all this, why not just use Forms Authentication? All of this logic would be handled by asp.net automatically. check out David Haydens blog [

http://davidhayden.com/blog/dave/category/21.aspx

] for simple tricks to override the authentication mechanisms, if you have your own custom security model.

Jason Meckley
Programmer
Specialty Bakers, Inc.

 

[MaryNET]

thanks Jason,
>> why not just use Forms Authentication?
I am:

<authentication mode="Forms" >
<forms loginUrl="login.aspx" name="Test"
protection="All" path="/" timeout="30">
</forms>
</authentication>

<location path="MemberPage.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>

 

[jmeckley]

if your using forms authentication, then you don't need to store the login info in viewstate/session, just get it from the User property on the current http context (or from the page itself.)

public class MyPage : Page
{
   protected override void OnLoad(EventArgs e)
   {
      IIdentity user = this.User;
   }
}

Jason Meckley
Programmer
Specialty Bakers, Inc.

 

[kav123]

Can anyone tell me the best method to pick a record from a database using ExecuteReader, and passing it into an arraylist or any collection. I basically want to store all the records into a collection, arraylist or dictionary and then use that to display data.
Currently i have a class, with properties corresponding to the fields, storing them into those properties, and then adding every instance into an ArrayList. Is it possible to access individual properties from the object added to the arraylist, or am i completely in the wrong direction

While objReader.Read
mcp.SurveyQuestion = objReader.GetString(2)
mcp.Option1 = IIf(IsDBNull(objReader.GetValue(3)), " ", objReader.GetString(3))
mcp.Option2 = IIf(IsDBNull(objReader.GetValue(4)), " ", objReader.GetValue(4).ToString)
mcp.Option3 = IIf(IsDBNull(objReader.GetValue(5)), " ", objReader.GetValue(5).ToString)
mcp.Option4 = IIf(IsDBNull(objReader.GetValue(6)), " ", objReader.GetValue(6).ToString)

mcp.Option5 = IIf(IsDBNull(objReader.GetValue(7)), " ", objReader.GetValue(7).ToString)


questionairre.Add(mcp)
End While
where mcp is the instance of the class and questionairre is the Arraylist where i am adding the instance of the object.

Is this a feasible way??

 

[kav123]

Sorry i posted my question in this thread. Ignore the above post by me.