Last post Jan 17, 2011 03:21 AM by Mazenx
Jan 12, 2011 05:12 PM|Mazenx|LINK
Hello all , I am thinking to create my own custom session handler , so I'll inherit
and create my own methods to save id/remove id/clear id , but my question is .
I'll save somekind of dictionary object in an sql server table that's mixing between the session id and ( my question goes here , what can i use to identify my users?? ip address?? they could access my site from a network that's sharing the ip address )
Jan 17, 2011 12:48 AM|Wenchao Zeng - MSFT|LINK
You can store the Session ID into
cookie to identify users. It is the mechanism of ASP.NET Session State. For more information, please see
The SessionID property is used to uniquely identify a browser with session data on the server. The SessionID value is randomly generated by ASP.NET and stored in a non-expiring session cookie in the browser.
The SessionID value is then sent in a cookie with each request to the ASP.NET application.
Oh. Instead of completely creating a new custom session handler, you can just implement a Session State Store Provider to store session data. Please see
Implementing a Session-State Store Provider for more information.
ASP.NET session state is designed to enable you to store user session data in different sources. By default, session state values and information are stored in memory within the ASP.NET process. One alternative
is to store session data in a state server, which keeps session data in a separate process and retains it if the ASP.NET application is shut down and restarted. Another alternative is to store session data in a SQL Server database, where it can be shared by
multiple Web servers.
Hope this helps.
Jan 17, 2011 01:53 AM|Mazenx|LINK
my idea was to create a session object when cookies are disabled , if cookies are enabled then i can store in session/cookies , but I want to change the session handler to my handler at runtime if cookies are disabled.
Jan 17, 2011 02:10 AM|Wenchao Zeng - MSFT|LINK
If cookie is disabled, you can save Session ID in URL. And then use URL Rewriting or URL Routing to transfer the request to the right page. Please see
Cookieless ASP.NET for more information.
The main reason for cookieless sessions in ASP.NET is that users—for whatever reasons—may have cookies disabled on their browsers. Like it or not, this is a situation you have to face if your application requires
session state. Cookieless sessions embed the session ID in the URL and obtain a two-fold result. On the one hand, they provide a way for the Web site to correctly identify the user making the request. On the other hand, though, they make the session ID clearly
visible to potential hackers who can easily steal it and represent themselves as you.
I think, to identify a user, we really need to store a ticket in the client. Otherwise it is hard to identify a user unless you can get the
MAC address of the user.
Jan 17, 2011 02:15 AM|Mazenx|LINK
I wanted to run away from the ugly url that's why I dont want to use URI mode , I was thinking to create a hiddenfield in my masterpage to store in that my session id .
Jan 17, 2011 02:30 AM|Wenchao Zeng - MSFT|LINK
Yeah, you can hidden field or view state. But please note that these variables are only sent to the server in the post back. That means if the user
opens another page via a hyperlink, the variables in hidden field or view state are not sent to the server, the session will lost.
Jan 17, 2011 02:35 AM|Mazenx|LINK
Where do you think i shall save it then?
Jan 17, 2011 02:49 AM|Wenchao Zeng - MSFT|LINK
Well, as far as I know, the only two places we can use to save Session ID are
cookie and URL. Otherwise the user might need to install some browser plugins to support saving data directly in the disk or to access MAC address.
Anyway, this is just what I think. Maybe
Session Identifiers will give you some ideas.
Jan 17, 2011 02:59 AM|Mazenx|LINK
are you telling me a site like asp.net if i disable session they loose all session state and cookies ?? I dont see any thing written in the url ??
Jan 17, 2011 03:11 AM|Wenchao Zeng - MSFT|LINK
are you telling me a site like asp.net if i disable session they loose all session state and cookies ??
If you disable cookie for asp.net site, you cannot log in this site. Many sites only use cookie to store the ticket to identify users. You can have a try.
I dont see any thing written in the url ??
It is not using cookieless Session State. So it will lose session data unless you enable cookie.
Jan 17, 2011 03:21 AM|Mazenx|LINK
mmmmm I dont know , nor asp.net nor google are allowing you to login without cookies , am i asking for the impossible?? anyway thanks for the help I appreciate it.