Where does IIS and ASP.Net save Authentication info? (sessionState mode="SQLServer")

  • Thread starter Thread starter Kristofer Liljeblad
  • Start date Start date
K

Kristofer Liljeblad

Hi,

I've successfully setup my machine to use: sessionState mode="SQLServer".
All is up and running so no problems so far. Because I curious person, I
started to play around with the two new tables created on my SQLServer.

Here is what I've done.

1. I've created a web projectec consisting of two webforms. The first form
(default.aspx) is my testform and it doesn't do much at all. (Actually it
displays the time when you press a button).

2. The second form (login.aspx) handles login requests. If you press a
button then the following code fires:

FormsAuthentication.RedirectFromLoginPage("MyUser", false);

3. I've allso setup my web.config file as following:

<authentication mode="Forms">
<forms
loginUrl = "Login.aspx"
name = ".ASPXFORMSAUTH"
protection ="All"
timeout ="20"/>
</authentication>
<authorization>
<deny users="?" /> <!-- Allow all users -->
</authorization>

4. So basically I have a project that doesn't do much at all. Now to my
test. I start my application by requesting the default.aspx and gets
redirected to the login page. I login by pressing the button (as mentioned
above) and I'm back at the first page (default.aspx) and can watch the time
as I press a button.

5. So what I would like as an administrator of this application is to logoff
this user. I thought I could go into the table ASPStateTempSessions and
delete the corresponding row (or all rows to logoff all users) BUT if I do
that, then the user still remains loggedin and can still watch the clock
change as he clicks the button?!?!?
So what i've done is to remove all information in the to tables
ASPStateTempApplications and ASPStateTempSessions.

6. So the user can still click the button and see what time it is (through
the button on default.aspx) and if look in the table ASPStateTempSessions,
the session Id is back and as it seems, the user is still logged on to my
web site?!?!

Now to my questions:
* Doesn't IIS and ASP.NET store authentication information such as UserId in
the session variables?
* If I delete all session information shouldn't the user be logged out?
* Where does IIS and ASP.NET store authentication information if I use
sessionState mode="SQLServer"?

/Kristofer
 
Back
Top