Does the same session continue or is a new session created for the same "USER" when a user logs in from computer 'A' using Firefox.
By my understanding, a 'session is created for that user by the server'.
Now, without closing the browser tab, a user opens a new tab and goes to the same page [that would require the user to log in first].
What will happen?
Will the server continue the same session, making the code recognize the user?
Will the server start a new session for this request and destroy the old session?
Consider the same question, but now the user logs in from another browser. What will happen?
Sessions are based on cookies in which a Session ID is stored. So, it is purely a matter of how the browser stores it's cookies.
Generally, the browsers share cookies between tabs, so with new tab, the Session ID is preserved and new session will not be created.
Two different browsers, however, don't share the cookies, so in another browser, new session is created.
There are also cookieless sessions. In that case, the session ID is stored in URL (such as http://www.server.com?sessionId=12345). So obviously in this case if you open a new tab and type the address without sessionId, a new one is created too.
This really all depend on the site programming. But generally you can see tabs sharing session but different browsers not.
The sessions are not shared between browsers and are only shared between tabs (or windows) if the new tab/window is spawned from the current page (unless cookieless session handled via the querystring). When you click a link and say open in a new tab or window or choose to duplicate the current tab/window, both tabs/windows will share the same session. This is browser dependant though and each brower could implement it differently.
It's very easy to test. Create a simple aspx page with a Label and a link back to the current page. In the PageLoad do the following:
if (Session["Test"] != null)
{
Session["Test"] = (int)(Session["Test"]) + 1;
}
else
{
Session["Test"] = 1;
}
yourLabel.Text = Session["Test"].ToString();
Then open the page using different methods. Use an href with target=_blank. The href will make a new tab/window and share the session but loading the page any other way shouldn't.
The user session is usually kept in a cookie which is created by the web server, but is actually stored on the client. If the two Firefox tabs share the cookies, the session will be shared between them. However, if the two tabs don't share the cookies, there will be a server session created for each of them.
Sessions generally do not persist across browsers. If the user opens a new tab and goes back to the log in page and logs in again or if he gets automatically logged in all depends on how the back-end code is written.
If it's a new tab then the same session will be used (because the browser will provide the same session cookie). If it's a different browser, the cookie will not be present and a new session will be started (the session in the other browser will persist assuming your using a standard session mechanism).
Related
I have an asp.net session that returns previously saved data after a Session.Abandon and Session.Contents.RemoveAll have been applied. Note: This only happens on a single computer running Windows 7 with IE 11. The session variables drop as desired on other IE browsers and Chrome. Also, my development box is running IE 11 and it works fine here. Just this one system seems to have a session ghost.
The code uses a session variable to track an anonymous user that visits the site to provide content. Multiple users may use the same computer so I set up a "change user" routine that Abandons the session and redirect the browser back to the default.aspx page where a login popup requests the new information.
But what results is that every page the "previous user" accessed shows the old user's credentials. Every other page viewed displays the "current user's" credentials. I use one single session variable to track the user through all of these pages.
Change User:
//Drops session and forces user back to default.aspx to be logged in.
protected void Change_User(object sender, EventArgs e)
{
Session.Abandon();
Session.Contents.Abandon();
Session.Contents.RemoveAll();
Response.Redirect("~/default.aspx");
}
This sounds like an IE 11 configuration problem to me. But I have never seen a session variable attach itself to a single URL.
Since this is a shared machine between multiple users, it sounds as though the page(s) might be cached locally. Ask the user to try a hard refresh (CTRL+F5) to confirm this. Then check their local settings:
In IE11 under Internet Options -> General Tab, under the "Browsing history" section -> click the Settings button -> the Website Data Settings dialog will appear.
"Check for newer versions of stored pages:" should be set to "Automatically" or "Every time I visit the webpage"
Alternately, you could modify your code to never cache the page(s), for example adding this to your PageLoad event:
Response.Expires = -1;
I am creating a cookie with a value(like an Id) and adding it to the browser's response context.
So when the www.abc.com is called from my applciation through click, it auto logs into abc.com web site.
When I log out of abc.com without closing the window(www.abc.com) and try to click the link from my application again, it is creating a new cookie with a new value but it is not auto login to www.abc.com
But when I logout from www.abc.com and close the window(www.abc.com) and reclick from my application, it let me autologin.
Any ideas?
Telepathic powers: you are deleting cookie from wrong domain (setting cookie on abc.com, but deleting only from www.abc.com).
Make sure that domain for both set and expire cookie calls is the same (either both calls made to/from page on abc.com domain OR domain is set correctly).
#Alexis: Thanks for pointing it out. But I did find the answer. The session was already open from the previous web site. As that wasn't closed, the new web site which got open when I clicked the link again couldn't establish a brand new session. SO the browser couldn't read the session cookie.That is why you always has to close the first one.
But thanks for helping me alexis. But I will remember to add more data in my question from next time onwards.
I am facing a very basic problem while building a website ; The website have 10 pages , The problem is that when i login once how can i remain logged in through out the rest of the pages ??
Since this question includes tags for asp.net and sesion variables, I'm not sure what you are missing.
On login form:
if (authentaionSuceeded){
HttpContext.Current.Session["loggedin"]="yes";
}
On all other pages (except for logout)
if (HttpContext.Current.Session["loggedin"]=="yes"){
// whatever you do for logged in users.
}
That's the basic idea. Although I prefer to access the session variable through an extension method/class that provides a type safety and a list of all session variables. The example in that answer is in VB, but you can do the same thing in c#.
There are some possible solutions as below:
Cookies: Store session information in the cookies in the page header
Hidden Form Fields: Maintain the session information in some hidden fields in the page forms
In each option, you need to generate the session key(some encrypted unique key) on the server side and on subsequent request, you should be able to validate that session key. Its better to regenerate a new session key on each request and expire it after certain interval. So for active user, it will keep getting new keys, but inactive user session will simply expire.
In one ASP.NET application, we provide a link to open another application. If user clicks on that hyper link, another application will open in new window. The problem is both the applications are using the same session. Is there any way to change the session ID for the new window?
I have already tried abandoning session and clearing sessionID cookie in page load. But it is creating new session id and again both window are accessing the new Session ID. I want to have separate session ID for the two windows.
Is there any way to do that?
I don't think that there is a good way to do this when you are using Session. You may want to think about using Viewstate instead of session for the data that you do not want shared between the two windows.
You can create session ID dynamically based on what application you are working on. When you open another application, you can create new sessions for second application using unique ID.
Same question just using browser tabs instead. The same answer will work for you
asp.net - session - multiple browser tabs - different sessions?
Use sessionID. and place it in view state.
Compare sessionid from view state to session id in session.
If they are different its a new window create a new session and remember to upt the new id in view state
I use the forms authentication in my asp.net application and I protect all the pages using:
deny user=*
And when a user logs in, I use:
FormsAuthentication.RedirectFromLoginPage(UserName.Text, false);
Now if I use IE6 when I open a window and login it works, but then if I open a new window ,I have to login again. It seems that a new IE6 window will open a new session or cookie (I am not sure) - how can I avoid this?
There are multiple approaches. I believe the impact for the user should be as little as possible.
You could store the last logged in, or last database action timestamp in your database. Doing so, you can verify if the last action the user had was within a number of minutes. Additionally, you could store the username ( not password ) in a cookie on the client. Next time the client opens a new session, you know the username, verify on database that the last database activity was within a number of minutes, and bypass the login obligation.
Second approach involves changing startup parameters of the clients browser, so that new windows share the session. I do not know whether this is available on all browers ( and versions ) and if you are capable of doing this.
redesign your web application so new windows don't need to be opened, unless they are from within the opened window. If they are opened from an existing, logged in window, you can send a hash key in query string, which bypasses the login procedure.
These are just a few possibilities which come to mind at this point.. If you should require more possibilities, just ask :-)
Do you mean deny user="?"? * means all users, while ? means anonymous users.