Scrambled Session variables

Results 1 to 2 of 2

Thread: Scrambled Session variables

  1. #1
    Join Date
    Dec 1969

    Default Scrambled Session variables

    I posted this message on but have not received any replies. I thought I would try here as well.<BR><BR>-------<BR><BR>I&#039;ve been working on an app that handles times, expenses and mileage. The problem I am having appears when multiple users run the same page. <BR><BR>My app uses forms authentication on a login page and if the user is validated I call the code to redirect to the main data entry page. <BR>Like so: <BR><BR>FormsAuthentication.RedirectFromLoginPage( UserID, false); <BR><BR>On the data entry page I query Context.User.Identity.Name to get the UserId that I have put there. I stick this value in a session var and my dataset in a separate session var. I pull both these values out when I need them. <BR><BR>Sounds simple. In fact if only one person runs the app it works beautifully. I pull the User ID out of the session variable all over the place and it works fine. <BR><BR>The problem comes when multiple people run the app. Every so often the retrieved User ID value is for one of the other users. These people are all running the same data entry page and only that page when the problem happens. Other than setting the Session var when the page is loaded there is NO code anywhere in there that changes the session variable holding the User ID, but periodically it will return the wrong ID. <BR><BR>I have had others look at the code and I don&#039;t change the value. In fact if you refresh the page the Session var will return the correct ID. Then sometime later, when it feels like it, bam, there is someone else’s ID. <BR><BR>It is as if .NET just decides to return other sessions info every so often. <BR><BR>I tried the code on three different machines to rule out a munged dll or bad installation. <BR><BR>It has been pointed out that I didn&#039;t need to put it (Context.User.Identity.Name) in a session var. I&#039;ve changed it to use Context.User.Identity.Name everywhere. <BR><BR>Guess what. The value Context.User.Identity.Name changes sporatically just like the session var did. <BR><BR>In my login page I use a textbox to get the username and then look it up in a database. I normally don&#039;t post whole pieces of code but I think that it would be useful if I did. The code below is an ascx called login.ascx. It is embeded in a aspx page called login.aspx which is simply the login user control and a bunch of text explaining the system to the users. Here goes: <BR><BR>namespace TimEx <BR>{ <BR>using System; <BR>using System.Data; <BR>using System.Data.SqlClient; <BR>using System.Security.Principal; <BR>using System.Web; <BR>using System.Web.Mail; <BR>using System.Web.Security; <BR>using System.Web.UI.WebControls; <BR>using System.Web.UI.HtmlControls; <BR><BR>/// &#060;summary&#062; <BR>/// Summary description for login. <BR>/// &#060;/summary&#062; <BR>public abstract class login : System.Web.UI.UserControl <BR>{ <BR>protected System.Web.UI.WebControls.Label login_label; <BR>protected System.Web.UI.WebControls.Label pwd_label; <BR>protected System.Web.UI.WebControls.TextBox logon; <BR>protected System.Web.UI.WebControls.TextBox pwd; <BR>protected System.Web.UI.WebControls.Label loginprompt; <BR>protected System.Web.UI.WebControls.Button logoff; <BR>protected string cnn_String = System.Configuration.ConfigurationSettings.AppSett ings["DBConnectionString"]; <BR>protected System.Web.UI.WebControls.Button LoginButton; <BR>protected System.Web.UI.WebControls.LinkButton ForgetButton; <BR>protected SqlDataAdapter tempAdapter; <BR>protected System.Web.UI.WebControls.Panel loginpanel; <BR>protected System.Web.UI.WebControls.RequiredFieldValidator ReqEmailValidator; <BR>protected string UserID; <BR><BR>private void Page_Load(object sender, System.EventArgs e) <BR>{ <BR>// Put user code to initialize the page here <BR>// only set the control values if this is not a <BR>// postback, otherwise we are logging in or signing out <BR>if(!IsPostBack) <BR>{ <BR>if (Request.IsAuthenticated) <BR>{ <BR>HideLoginControls(); <BR>} <BR>else <BR>{ <BR>ShowLoginControls(); <BR>} <BR>this.DataBind(); <BR>} <BR>} <BR><BR>#region Web Form Designer generated code <BR>override protected void OnInit(EventArgs e) <BR>{ <BR>// <BR>// CODEGEN: This call is required by the ASP.NET Web Form Designer. <BR>// <BR>InitializeComponent(); <BR>base.OnInit(e); <BR>} <BR><BR>/// Required method for Designer support - do not modify <BR>/// the contents of this method with the code editor. <BR>/// &#060;/summary&#062; <BR>private void InitializeComponent() <BR>{ <BR>this.LoginButton.Click += new System.EventHandler(this.LoginUser); <BR>this.logoff.Click += new System.EventHandler(this.SignOut); <BR>this.Load += new System.EventHandler(this.Page_Load); <BR><BR>} <BR>#endregion <BR><BR>public void SignOut(Object sender, EventArgs ea) <BR>{ <BR>FormsAuthentication.SignOut(); <BR>ShowLoginControls(); <BR>loginprompt.Text="Login Please"; <BR>} <BR><BR>private void ShowLoginControls() <BR>{ <BR>loginprompt.Visible=true; <BR>loginpanel.Visible=true; <BR>LoginButton.Visible=true; <BR>ForgetButton.Visible=true; <BR>logoff.Visible=false; <BR>} <BR><BR>private void HideLoginControls() <BR>{ <BR>loginpanel.Visible=false; <BR>loginprompt.Visible=true; <BR>LoginButton.Visible=false; <BR>ForgetButton.Visible=false; <BR>loginprompt.Text = "Welcome"; <BR>logoff.Visible=true; <BR>} <BR><BR>public void LoginUser(Object sender, EventArgs ea) <BR>{ <BR>if(ValidateUser(Request.Form["login:logon"].ToString(), Request.Form["login:pwd"].ToString())) <BR>{ <BR>FormsAuthentication.RedirectFromLoginPage(User ID, false); <BR>HideLoginControls(); <BR>} <BR>else <BR>{ <BR>loginprompt.Visible=true; <BR>loginprompt.Text="Invalid credentials"; <BR>} <BR>} <BR><BR>private bool ValidateUser(string myUserName, string passwd) <BR>{ <BR>SqlConnection cnn; <BR>SqlCommand cmd; <BR>SqlDataReader dr; <BR>cnn = new SqlConnection(cnn_String); <BR>cmd = new SqlCommand("Select * from usr join accounts.dbo.users on id = userid where LoginName=&#039;" + myUserName + "&#039; and <BR>IsActive = 1",cnn); <BR>cnn.Open(); <BR>dr = cmd.ExecuteReader(); <BR>while (dr.Read()) <BR>{ <BR>if (string.Compare(dr["Password"].ToString(),passwd,false)==0) <BR>{ <BR>UserID = dr["UserID"].ToString(); <BR>cnn.Close(); <BR>return true; <BR>} <BR>} <BR>UserID = null; <BR>cnn.Close(); <BR>return false; <BR>} <BR>} <BR>} <BR><BR>If I&#039;m doing something wrong here, please tell me. <BR><BR>Here is some more info. After making the change of using Context.User.Identity.Name directly rather than sticking it in a session variable, the only thing that I stick in a session variable is the dataset. I populate my dataset on page load, stuff it in a session var and pull it back out when I need it in various events. Mind you this has absolutely nothing to do with the user id which is still randomly changing and then changing back. <BR><BR>Anyway I decided to remove even this last bit of Session variable usage by putting my dataset in the ViewState. When I do this the problem "appears" to go away. However, the page loading is VERY VERY VERY slow (as you might imagine - sticking a dataset in a web page), so this is not a solution. <BR><BR>I can&#039;t see how this can be a problem in my code unless there is something pathological in the code above. <BR><BR>On my main page all I ever do is read Context.User.Identity.Name and it periodically returns someone else’s user id, then next page reload it goes back to the right value. <BR><BR>It would seem to me that either the problem is a race condition of some sort (and the page loads are so slow it doesn&#039;t happen anymore) or Microsoft&#039;s Session variable code can&#039;t handle a moderate sized dataset and blows chunks. I assume that the User.Identity.Name is, under-the-covers, handled by the same code that takes care of session variables. <BR><BR>The only other possibility, however remote, is that the user id is fine but the server is periodically returning to a user, another user&#039;s web page which would look like the user id had changed. <BR><BR>In short it looks like Microsoft&#039;s code is buggy. If the problem is in my code, I would appreciate someone pointing it out; at least I could fix that. <BR><BR>Some more info. I decided to display the SessionID (Session.SessionID.ToString()) as well as the UserID on every page. When the UserID changes so does the SessionID. <BR><BR>So it would appear that .NET gets confused about what session is what. <BR><BR>I am running V1.0.3705 of the .NET framework. <BR><BR>I would really appreciate any help I can get. This is a pilot project for the company to decide whether to develop new projects in .NET. If we can&#039;t figure this out soon we will have to re-implement this system using some other technology. <BR><BR>Thanks.

  2. #2
    Join Date
    Dec 1969

    Default RE: Scrambled Session variables

    Geeze! I have to admit the sheer *length* of your question scares the bageebies out of me! :) Don&#039;t have the time to read a book about your problem. Can you give us the Cliff Notes?...and then if someone can help they can always ask you for the unabridged version.<BR><BR>cheers,<BR><BR>Cameron

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts