Anas Ghanem : Session

Changing the session ID programmatically.

anas — Tue, 16 Dec 2008 20:48:00 GMT

In this blog, I will show how to change the Assigned session Id programmatically.

You may ask : why I need to change the automatically generated the user session id ? well there is many possible reasons like :

You may use the session ID to track the User activities or to implement audit trails in your system.
Preventing Session Hijacking by generating a new session id after the user logged in.
Removing the user session after logging out.

There could be more reasons that I don't know about them , if you know more reasons feel free to post it in the comments section .

Changing the Session id is an easy task in asp.net.You just need to use SessionIDManager class.

The class contains a lot of helpful methods ,I will list some of them :

CreateSessionID : returns a unique session identifier that is a randomly generated number encoded into a 24-character string.
GetSessionID : gets the session-identifier value from the current Web request.
SaveSessionID : saves a newly created session identifier to the HTTP response.

The rest of methods and class members can be found here.

I will now show a simple code that will print the Current SessionId and Create a new session id and save it to the context.

[Code provided in C# ]

        SessionIDManager Manager = new SessionIDManager();

        string NewID = Manager.CreateSessionID(Context);

        string OldID = Context.Session.SessionID;

        bool redirected = false;

        bool IsAdded = false;

        Manager.SaveSessionID(Context, NewID,out redirected, out IsAdded);

        Response.Write("Old SessionId Is : " + OldID);

        if (IsAdded)

            Response.Write("<br/> New Session ID Is : " + NewID);

        else

            Response.Write("<br/> Session Id did not saved : ");

Hope it helps.

Securing your web site using session

anas — Fri, 07 Nov 2008 12:36:00 GMT

When using Asp.net , there is many ways to secure your web site pages . you can use Windows authentication , Or Forms Authentication services.

Through asp.Net forums, I noticed that there is many developers trying to use the session to secure there web sites.they are doing this by storing some flag in the session , like storing the username , so that they can check this value in the pages to make sure that the user is logged in.

Note: I recommended to not use the session to secure the web site , because session will timeout , and so your users will need to login on every timeout period ( 20 minutes by default) . also when using the session , you will need to manually manage the user roles , while you don't have to worry about that if you used Membership Services.

However, if you still want to use the session ,I will show you how to correctly implement that using a custom base page class .

Note: The Base Class will contains the required checks , and so you need to change your pages to inherit from this custom class instead of inheriting from "System.Web.UI.Page" class which is the Default class for ASPX pages.

Ok , Take a look at the Base Page class Below :

    6 /// <summary>

    7 /// this page will be used as a basePage class for all pages that needs to be secured .

    8 /// so if you want to make some pages secured ,

    9 /// just let them inherit from this class instead of directly  inheriting from System.Web.UI.Page

   10 /// </summary>

   11 ///

   12 public class SecuredPage : System.Web.UI.Page

   13 {

   15     protected string LoginUrl

   16     {

   17         get { return "~/Login.aspx"; }

   18     }

   20     // return true if the current page is the Login Page .

   21     private bool IsLoginPage

   22     {

   23         get {

   24             return VirtualPathUtility.GetFileName(Request.Path).ToLower() ==

   25                 VirtualPathUtility.GetFileName(LoginUrl.ToLower());

   26         }

   27     }

   29     // Property to get/set the UserName from/in the session

   30     private const string UserNameKey = "UserName";

   31     protected string  UserName

   32     {

   33         get

   34         {

   35             return Convert.ToString(Session[UserNameKey]);

   36         }

   37         set {

   38             Session[UserNameKey] = value;

   39         }

   40     }

   42     protected string DefaultPage

   43     {

   44         get {

   45             return "Default.aspx";

   46         }

   47     }

   48     protected void RequestLogin()

   49     {

   50         string CurrentUrl = Request.RawUrl;

   51         Response.Redirect(LoginUrl + "?ReturnUrl=" + Server.HtmlEncode( CurrentUrl));

   52     }

   54     // use this method to redirect the user after sucessfull login ,

   55     // this method will make sure that the user will get redirected to the original url  that was on .

   57     protected void RedirectFromLoginPage(string TargetUrl)

   58     {

   59         if (! string.IsNullOrEmpty(UserName))

   60         {

   61             if (Request.QueryString["ReturnUrl"] != null)

   62             {

   63                 Response.Redirect(Request.QueryString["ReturnUrl"]);

   64             }

   65             else

   66                 Response.Redirect(TargetUrl);

   67         }

   68     }

   70     // you can just call this method , it will automatically redirect to default page ,

   71     protected void RedirectFromLoginPage()

   72     {

   73         RedirectFromLoginPage(DefaultPage);

   74     }

   76     protected override void OnInit(EventArgs e)

   77     {

   78         // if the user is not logged in  , redirect  to Login Page

   79         if (string.IsNullOrEmpty(UserName) && !IsLoginPage)

   80             RequestLogin();

   81         // this needed to initialize its base page class

   82         base.OnInit(e);

   83     }

   84 }

To Use the above class, change your pages to inherit from it, then in the login page , you can handle the Authenticate event for your login control like this :

   18     protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)

   19     {

   20         bool Authenticated = true;

   21         Authenticated = ValidateLogin(Login1.UserName, Login1.Password);

   22         if (Authenticated)

   23         {

   25             // store the user name in the session

   26             UserName = Login1.UserName;

   27             // use this method instead of directly calling response.redirect ,

   28             // because this method will remember the previous page that the user requested ,

   30             RedirectFromLoginPage();

   31         }

   32     }

   34     private bool ValidateLogin(string UserName, string Password)

   35     {

   36         // here you need to check the entered user and pasword ,

   37         //you may need to check the users table in the database ..

   38         //Authenticated= UserBLL.ValidateUser(Login1.UserName, Login1.Password);

   39         // for this  , demo lets just use User:admin and password:admin

   41         // again , instead of this code , you must validate your users based on database or else.

   42         return UserName == "admin" && Password == "admin";

   43     }

Note: RedirectFromLoginPage() method will make sure to send the user back to the page that he/she was on .

I created a demo website that will show you how to use the SecuredPage class in your website , you can download the demo [here].

Hope it helps.

Anas Ghanem

Avoid session loss when using Cookieless sessions with XML Sitemap Provider

anas — Thu, 30 Oct 2008 08:10:00 GMT

In march 2008 , I showed how to avoid losing session when using cookiless sessions with XmlSiteMapPorvider. I mentioned how to quickly fix this issue by handling the Data Bound events of Navigation controls . Since This issue is still reproducible in .Net 3.5 ,I published an article that discusses this issue in more details , Read the article.[Here]

Avoid using the Session in The Page Constructor OR in Page Local Variables

anas — Wed, 07 May 2008 21:50:00 GMT

While I'm helping the Folks on asp.net forums, I noticed that there is a lot of develoeprs trying to access the Http Session in Page Constructor !

Most of them used this to Implement a kind of Secured Base Page that checks the session value ,and if its missing , it will redirect to login or whatever page,

some of them write this Class :

public class AdminSecuredPage : System.Web.UI.Page
{

    public AdminSecuredPage()
    {
        if (Session["AdminUser"] == null) {
            Response.Redirect("~/login.aspx");
        }

    }

}

Note that the above class will throws HttpException ,

which tells :

"Session state can only be used when enableSessionState is set to true, either in a configuration file or in the Page directive. Please also make sure that System.Web.SessionStateModule or a custom session state module is included in the <configuration> ..."

well the above exception will be thrown because the session is not ready when the Page constructor was called .

The Solution :

One solution is to Move the Code from Page Constructor to Page_init , Note that the page_init for this class will be called before the the Page_init of its Sub Page Class,

so you can check the Session value as follows:

public class AdminSecuredPage : System.Web.UI.Page
{
    public AdminSecuredPage()
    {}

    protected override void OnInit(EventArgs e)
    {
        // if the user is not Admin , redirect to Login Page
        if (Session["AdminUser"] == null)
            Response.Redirect("~/login.aspx");

        // this needed to initialize its base page class
        base.OnInit(e);
    }
}

Edit 1:

Note that using the session for that purpose is not a good practice , because there is al ready a built in FormsAuthentication services for asp.net,

however , i will not discuss the security approches here...

Edit 2:

I want to mention that you should also avoid accessing the Session in the Page Local Variables , like this example ( look at the Bold word)

Partial Class Page1

Inherits System.Web.UI.Page

Private LocalVar as string=Session("MyVar")

that will also throw the HttpException !

Hope It Helps,

Anas Ghanem

Tip/ Trick: Preventing Session Loss when using Cookieless sessions with TreeView and Menu controls

anas — Sat, 08 Mar 2008 21:16:00 GMT

By default .net runtime uses the cookies to remember the session Id between the requests ,
but when using Cookie less sessions ,the runtime inserts the Session Id to the requested url ,
this way the runtime can remember the session id and prevent the session loss .

The problem is , when using the Menu and TreeView Controls , these controls doesn't handle this issue ,
so when those controls display there data from the Site maps, they didn't append the session id to the Navigation Urls of there Items ,
and so when the User Navigate to a page using those controls , he will redirected to a Url that didn't contains the session Id,
and so the runtime can't extract the session id , Hence the session will be lost .

The Solution:
the solution is to Manually Append the Session Id to NavigateUrl of the Items for those Navigation controls,
we can use HttpContext.Current.Response.ApplyAppPathModifier to modify the Item Urls as Follows:

For the Menu Control , we can use MenuItemDataBound Event Handler to accomplish this:

 protected void Menu1_MenuItemDataBound(object sender, MenuEventArgs e)
 {
   // appened the SessionId to Menu Item URL to Avoid sessin loss
   e.Item.NavigateUrl = HttpContext.Current.Response.ApplyAppPathModifier(e.Item.NavigateUrl);
 }

For the TreeView Control, we can use TreeNodeDataBound to accomplish this

protected void TreeView1_TreeNodeDataBound(object sender, TreeNodeEventArgs e)
  {
    e.Node.NavigateUrl = HttpContext.Current.Response.ApplyAppPathModifier(e.Node.NavigateUrl);
  }

Regards,