How to Remain loggin throughout the website

Question

I am facing a very basic problem while building a website ; The website have 10 pages , The problem is that when i login once how can i remain logged in through out the rest of the pages ??

so... what did you do? How is it not working? What type of authentication are you using? Please add more. — MikeSmithDev, Nov 11 '12 at 06:33
When you login a cookie is made for the login, and keep under the full session of the user on all pages, you do not need to do anything else. — Aristos, Nov 11 '12 at 07:57

score 1 · Accepted Answer · edited May 23 '17 at 11:58

1

Since this question includes tags for asp.net and sesion variables, I'm not sure what you are missing.

On login form:

if (authentaionSuceeded){
   HttpContext.Current.Session["loggedin"]="yes";
}

On all other pages (except for logout)

if (HttpContext.Current.Session["loggedin"]=="yes"){
   // whatever you do for logged in users.
}

That's the basic idea. Although I prefer to access the session variable through an extension method/class that provides a type safety and a list of all session variables. The example in that answer is in VB, but you can do the same thing in c#.

edited May 23 '17 at 11:58

Community

1
1

answered Nov 11 '12 at 06:59

jmoreno

12,752
4
60
91

+1 you back up. Not sure why someone would flag these answers as bad. – TyCobb Nov 11 '12 at 07:57
1

@TyCobb The session is use a cookie that is not secure and easy can be stolen and used by some other and appear as logged in. So this method is unsecured, easy to made and works, but not good from security side, easy to bypass. – Aristos Nov 11 '12 at 08:00
Where did you get an idea like that @Aristos? – Lawrence Johnson Nov 11 '12 at 08:42
1

@LawrenceJohnson The question to me is not a positive argument to the opposite of what I have write. Of course from the other hand I need to back up what I say, so see http://stackoverflow.com/questions/2448720/different-users-get-the-same-cookie-value-in-aspxanonymous and http://stackoverflow.com/questions/2498599/can-some-hacker-steal-the-cookie-from-a-user-and-login-with-that-name-on-a-web-s and http://stackoverflow.com/questions/3720720/how-serious-is-this-new-asp-net-security-vulnerability-and-how-can-i-workaround – Aristos Nov 11 '12 at 08:47
1

@LawrenceJohnson And take a look to this video http://www.youtube.com/watch?v=yghiC_U2RaM they stole (at this time) a full encrypted cookie - imaging how easy is to stole a non encrypted and secure cookie like the one is used on the sesison. – Aristos Nov 11 '12 at 08:50
@Aristos, how exactly do you think any other type of authentication works? And, how exactly do you think that SessionState is not secure? But, most importantly, if you're ruling out cookies as a means for maintaining session, why haven't you posted an answer to the question as to how someone should maintain a login session? – Lawrence Johnson Nov 11 '12 at 08:54
@LawrenceJohnson I am not answer because did not have tell us what login is using. The login that comes with the asp.net all ready done what is ask. The login information's are stored on an different unique cookie, that is encrypted and connected with some other infos of the user. Now if is not use the asp.net login system, then must do some work. Is saved it to the cookie - but NOT on session cookie, to a new different encrypted, encoded, secure cookie. The session is connected to a NON secure NON encrypted cookie. You copy that cookie and you get all the session data. – Aristos Nov 11 '12 at 08:57
The last sentence you wrote is misleading; access to the session cookie does NOT give you access to session data. – Lawrence Johnson Nov 11 '12 at 09:04
@LawrenceJohnson yes it is, now understand why you say all that. You do not know how session is works. Please I am not going here to prove how is works, you can find it on the google. But I explain: The user is gets a cookie, then the asp.net pages are connect this cookie with the user data, if you get this cookie and place it on your browser you get the session data of the user. Please check this out. http://www.bitspedia.com/2012/05/how-session-works-in-web-applications.html – Aristos Nov 11 '12 at 09:06
you get the session of the user, you do not get the session data. the data is stored in the server's memory. the session cookie is simply a key that references that memory. the data itself is not held in the session cookie. – Lawrence Johnson Nov 11 '12 at 11:57

score -1 · Answer 2 · answered Nov 11 '12 at 06:38

-1

There are some possible solutions as below:

Cookies: Store session information in the cookies in the page header
Hidden Form Fields: Maintain the session information in some hidden fields in the page forms

In each option, you need to generate the session key(some encrypted unique key) on the server side and on subsequent request, you should be able to validate that session key. Its better to regenerate a new session key on each request and expire it after certain interval. So for active user, it will keep getting new keys, but inactive user session will simply expire.

answered Nov 11 '12 at 06:38

Yogendra Singh

33,927
6
63
73

+1 you back up. Not sure why someone would flag these answers as bad. – TyCobb Nov 11 '12 at 07:56
1

@TyCobb How a hidden form field can maintain the session on page forms ? From page to page this fields are not transmitted. Also here the session is not secure because is keeped on a cookie that is not encrypted and not secure. – Aristos Nov 11 '12 at 08:05
@Aristos is correct. You should be leveraging Session State. Cookies would be fine, but in order to make it secure you'd have to duplicate what SessionState already does. – Lawrence Johnson Nov 11 '12 at 08:44
@Aristos: It's an option. You need to maintain the hidden fields in all the pages and do the handling. I never said, it will automatically move from page to page. I have seen instances, when common hidden fields are included in common page fragments such as footer. – Yogendra Singh Nov 11 '12 at 15:06
@LawrenceJohnson: I just mentioned the options, which should be handled appropriately. What's wrong in using the hidden fields if they are maintained and handled properly? – Yogendra Singh Nov 11 '12 at 15:07
@Aristos: Also to add, I mentioned to generated encrypted and unique keys each time. Please read the last paragraph in the answer. – Yogendra Singh Nov 11 '12 at 15:17
@YogendraSingh Its is very clear what I have say in my comments. You can not save in the fields session informations that can transmitted from page to page. Now in a unique, encrypted cookies is the place to save the login credential but not the session informations as you say. – Aristos Nov 11 '12 at 16:23
@Aristos: Looks like we are not getting each other. I am still convinced with my answer. Your inputs and vote is also available. Debate closed :) – Yogendra Singh Nov 11 '12 at 16:34
@YogendraSingh The point is that we both try to help each other with good intentions, so it did not matter if we are not getting each other, we exchange what we can. – Aristos Nov 11 '12 at 17:53
@Aristos: I would like to chat more. Let's join the chat room and try understanding. – Yogendra Singh Nov 11 '12 at 18:01

How to Remain loggin throughout the website

2 Answers2