winform security: strange error, where as I expected a redirect

  • Thread starter Thread starter Abubakar
  • Start date Start date
A

Abubakar

Hi,

I have a statement :
Session["username"].ToString();
somewhere in code and of course it gets the username from the session that I
stored earlier. Now I have security configured in the web.config, as :

<authentication mode="Forms">
<forms loginUrl="login.aspx" protection="All">
<credentials passwordFormat="Clear">
<user name ="jack" password="jack"/>
<user name="alan" password="alan"/>

</credentials>
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>

when we dont have session, the security code takes care of redirecting the
users to the login page in case they try to access any page without
authentication. But sometimes its happening that in the statament:
Session["username"].ToString();
I get a "object reference not set to instance of an object", which i
completely understand that it couldnt find Session ["username"] and so the
ToString() failed. But my question is if the session no more contains
"username" (it did few minutes back) it means the session got destroyed
right? So that means that asp.net security should not even let this page
execute its code and redirect to the log in page right?
So whats happening, why the execution if no session and the security in
place?

Thanks,

...ab
 
..net authentication does not use session, so the state of session is
independent of authentication. in you case authentication uses a cookie
(a different cookie then session uses).

if you use inproc sessions, the a recycle can happen that clears session
but has no impact on authenication. also session and authenication
cookies can have different timeouts.

-- bruce (sqlwork.com)
 
So can I sort of bind them together so that one expires the other?

bruce barker said:
.net authentication does not use session, so the state of session is
independent of authentication. in you case authentication uses a cookie (a
different cookie then session uses).

if you use inproc sessions, the a recycle can happen that clears session
but has no impact on authenication. also session and authenication cookies
can have different timeouts.

-- bruce (sqlwork.com)
Hi,

I have a statement :
Session["username"].ToString();
somewhere in code and of course it gets the username from the session
that I stored earlier. Now I have security configured in the web.config,
as :

<authentication mode="Forms">
<forms loginUrl="login.aspx" protection="All">
<credentials passwordFormat="Clear">
<user name ="jack" password="jack"/>
<user name="alan" password="alan"/>

</credentials>
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>

when we dont have session, the security code takes care of redirecting
the users to the login page in case they try to access any page without
authentication. But sometimes its happening that in the statament:
Session["username"].ToString();
I get a "object reference not set to instance of an object", which i
completely understand that it couldnt find Session ["username"] and so
the ToString() failed. But my question is if the session no more contains
"username" (it did few minutes back) it means the session got destroyed
right? So that means that asp.net security should not even let this page
execute its code and redirect to the log in page right?
So whats happening, why the execution if no session and the security in
place?

Thanks,

..ab
Click to expand...
Click to expand...
 
Back
Top