Authentication and sessions

[SOS]

Hi guys,
how can i use of sessions to authenticate users ?
before, i used of cookies and i store users profile in the cookies but now i
need to do same work with sessions.

Thanx

 

[Max]

A session creates a short term cookie, which refers to the session variables
in memory. The session only lasts 20 mins by default, so you would not use
the session itself for authentication. You can store the authentication info
in a long term cookie so the user don't have to keep logging in. But be sure
not to use this method for access to highly secure info like credit cards,
etc. Other people could be using the computer and gain access.

-Max

 

[.NET Follower]

hi,
basically in login code
we store userid in session
and then check on each page
if that Sesssion[userid] exists

there is a method of using Identity and Pricipal objects for
authentication...

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT04.asp



any doubts further plz reply....

 

[Paul]

hi,
basically in login code
we store userid in session
and then check on each page
if that Sesssion[userid] exists

Yeah, I can do that.... but..... we use Windows authentication on our
Intranet so if we detect that the cookie doesn't exist (say, due to 20
mins inactivity) then we re-direct to a login page, but of course
windows thinks that the user is still logged on so immedaitely
re-authenticates (even if they logged on to the PC using a generic acct
and logged on to the web app thro' IE)

How can we cancel or revoke that (IE set) authentication to make the
user have to re-authenticate to the web app. I have seen a quite
complex method of using forms authentication to authenticate against an
active directory, but this seems to require passords being sent in plain
text (or the setting up of SSL to protect them.)
One final Q. Session variables relate to that user session (that is the
local browser session)... yes?

1. How do they cope with opening new windows from the original one?

2. can a session variable (which is essentially a cookie) that has been
set by http://intranetserver1/webapp1 be read by
http://intranetserver2/someotherwebapp ? (assuming both apps know the
name of the session var.)

 

[Dan Brussee]

I'll take a stab at the final Q(s)...

A new window opened from the original one will have the same session
ID. If this is not desired, you will need to handle this.

Security is in place to disallow access to cookies from another
server, or even another virtual web on the same server. You can,
however place a cookie at the root of a web and access it from
different sub-webs. For instance, you could place a cookie while in
www.domain.com/first/page.aspx and tell it to reside at
www.domain.com. Now, another page, lets call
www.domain.com/second/page.aspx could get access to that cookie. It is
assumed that if you place the cookie at the root, you have the rights
to do so and that you will want this information from another level of
the same web.

hi,
basically in login code
we store userid in session
and then check on each page
if that Sesssion[userid] exists

Yeah, I can do that.... but..... we use Windows authentication on our
Intranet so if we detect that the cookie doesn't exist (say, due to 20
mins inactivity) then we re-direct to a login page, but of course
windows thinks that the user is still logged on so immedaitely
re-authenticates (even if they logged on to the PC using a generic acct
and logged on to the web app thro' IE)

How can we cancel or revoke that (IE set) authentication to make the
user have to re-authenticate to the web app. I have seen a quite
complex method of using forms authentication to authenticate against an
active directory, but this seems to require passords being sent in plain
text (or the setting up of SSL to protect them.)
One final Q. Session variables relate to that user session (that is the
local browser session)... yes?

1. How do they cope with opening new windows from the original one?

2. can a session variable (which is essentially a cookie) that has been
set by http://intranetserver1/webapp1 be read by
http://intranetserver2/someotherwebapp ? (assuming both apps know the
name of the session var.)

 

[Paul]

Security is in place to disallow access to cookies from another
server, or even another virtual web on the same server.

Yes... That's so obvious now that you say it.... The other server may
well know the name of the variable, but it won't know the sessionID set
by server 1.