1

Application Background Security: The applications are all hosted on a private extranet (and / or a local intranet - depending on the installation instance). So while security is important, it's not as important as if it were an application on the intranet. However saying that it is important that the system cannot be easily be hacked or hijacked.

The apps: The application comes in 2 parts:-

  • Class Library (dll)
  • Authentication Front-end ASP.NET application

The dll is part of the front-end authentication application, and is to be added to other applications ("consumer apps") that require users to be authenticated.

The authentication app is a central store of all users, applications they have access to and permissions levels based on their username.

For consumer apps that have the dll installed, when an end-user hits a page that requires them to be logged in, the consumer app fires them off to the authentication application login.aspx page along with the appid, the user logs in, if they have required permissions then the auth app, sends them back to the consumer app (via a form with encrypted data) - which includes basic data about who the user is, username, realname, job role, organisation etc... and importantly a list of their permission levels for the consumer app.

The consumer app then takes that data, and processes it, decrypts it etc.. and creates a forms authentication cookie & populates a user class, and user roles class - this is all done from within the dll itself.

The Problem

Now this all works great, and initially all the data was stored in the authentication cookie, in the userdata part of the cookie, however here's the issue....

A consumer app (and there is one central one that we has been written in-house, can have lots of permissions (user roles) associated with a single user (mainly application administrators) and so we need something that can hold lots of data, more than the 4KBs that the authentication cookie can hold.

So I've attempted to put this into Session variables, well initially a single variable with all the sent over decrypted data into a single session variable called "userdata". Which I then check when a requested is made.

However...

The first issue I had was that the authentication cookie seems to have a longer life-span than the Session does, I think I've fixed this by extending the session to 35 minutes (5 minutes longer than the AuthCookie).

But when the consumer app programmer makes changes to their code (running localhost in debug via Visual Studio 2010) and refreshes the browser, the AuthCookie remains but the Session disappears. Now initially I'm using the default InProc session mode, which I guess could be the issue.

Is my assumption correct? And is there a way of programmatically syncing the session and the AuthCookie?

Any other advice on solving this issue?

Improve this question

1 Answer 1

Reset to default
1

Every time your application refreshes (This is happening when you are changing the code likely), but could happen on the server for various reasons, your user sessions are going to be cleared out.

What you most likely want to do if, I'm reading this correctly, is checking for the existence of the cookie in Session_Start, and refreshing the Session Data so that it gets loaded back into the session. The session isn't the most stable thing in the world, and even the Session Timeout isn't always what you think it is.

If you don't already have one, add a Global.asax to your project. If it's c#, edit the Global.asax.cs, or VB, I think it's Global.asax.vb.

protected void Session_Start(object sender, EventArgs e)
{
// Check for Cookie, if it exists here, then load data into the session here.
}
Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

The problem with adding a global.asax file is that it needs to be contained with in the Code Library (dll) rather than an application itself. I need to be able to call the session on the class constructor as well as the Page_Init as I want to able to get the users - fullname from webcontrol as well as page. - so it needs to be both on the constructor (in webcontrol) and page_init on web pages.
Session_Start runs immediately when a new Session is made (or a session expires and a new one is created). It will run before your page_init or any web controls. I guess if it needs to go somewhere else, then you can still check if the Authentication cookie exists, if it does, then you need to do something else, send them to the other application? I'm not sure. The question is pretty long and I'm not 100% sure what the application does from it.
The authentication application - is a authentication portal, allows users to login, which sends their basic details including access levels back to the consuming application. So it's like a central login and user management application. What the consumer apps do is anything that requires a user to be logged in.
@Duncan I see. I guess if it's possible to check on Session_Start on the consuming application, if the cookie exists, and it's a new session, if you can refresh the session with the correct information from the authentication application without pushing them over there. Otherwise, I guess you have to send them back to the authenticating one.
What I've decided to and still to be tested, is basically create the auth cookie and re-add the userdata to the session each time a page is refreshed, not the best solution, but it looks like Microsoft has kinda dropped the ball with Auth Cookies and Sessions. The sliding expiration for auth cookies is just madness. Oh well hopefully this'll work.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.