CODEWITHSUNDEEP
c#asp.netforms-authenticationiis-8asp.net-session
nitin27verma
nitin27verma

Reputation: 75

Asp.Net Form Authentication : Session change to other recently login user session automatically

My asp.net webform application Hosted on IIS8 in intranet with Form authentication. For a single user at a time, this application is working completely fine. But problem is with more than one user. Taking example of two users to explain the problem.

The problem is when UserA login to the application and perform any navigation. At the same time other UserB login to the application and perform any navigation. Now at the same time if userA refresh there browser then UserA realize that his session converted into the UserB session(loggedin recently), which is strange and odd as well. Both user on different machine/system and location. I don't know what should i call this problem.

I think there is some point that i am missing in my configuration/code. My code and configuration given below.

In C#, after validating the user credentials, i am using below piece of code FormsAuthentication.RedirectFromLoginPage(UserId, false);

In Web.config

<sessionState mode="InProc" timeout="20"></sessionState>    
<authentication mode="Forms">
  <forms name=".ASPXFORMSAUTH" loginUrl="LogIn.aspx" cookieless="UseCookies" requireSSL="false" path="/" timeout="30" defaultUrl="Welcome.aspx" protection="All"/>
</authentication>
<authorization>
  <deny users="?"/>
</authorization>

I am accessing my Hosted application with the following URL:

http://SERVER_NAME:8020/LogIn.aspx

Please suggest, what i am doing wrong or missing any important step.

Upvotes: 1

Views: 1413

Answers (1)

Abraham Qian
Abraham Qian

Reputation: 7522

Try to log the SessionID after logged on successfully so that verify these sessions are the same.
Besides, there is a possibility that generating same authentication ticket during the redirection logic. It depends on how we control cookie generation. 

  private void cmdLogin_ServerClick(object sender, System.EventArgs e)
{
   if (ValidateUser(txtUserName.Value,txtUserPass.Value) )
   {
      FormsAuthenticationTicket tkt;
      string cookiestr;
      HttpCookie ck;
      tkt = new FormsAuthenticationTicket(1, txtUserName.Value, DateTime.Now, 
DateTime.Now.AddMinutes(30), chkPersistCookie.Checked, "your custom data");
      cookiestr = FormsAuthentication.Encrypt(tkt);
      ck = new HttpCookie(FormsAuthentication.FormsCookieName, cookiestr);
      if (chkPersistCookie.Checked)
      ck.Expires=tkt.Expiration;
    ck.Path = FormsAuthentication.FormsCookiePath; 
      Response.Cookies.Add(ck);

      string strRedirect;
      strRedirect = Request["ReturnUrl"];
      if (strRedirect==null)
            strRedirect = "default.aspx";
         Response.Redirect(strRedirect, true);
   }
   else
      Response.Redirect("logon.aspx", true);
}

Check this for more details.
https://support.microsoft.com/en-us/help/301240/how-to-implement-forms-based-authentication-in-your-asp-net-applicatio
Feel free to let me know if the problem still exists.

Upvotes: 0

Related Questions