Ok, let me try to explain my problem the best way i can. I have a site, hitplay.net When a member logs into the site with there username and password i create a cookie for them. the code that does this is if (Validated) { MasterPage.MemberShip MemberData = Master.GetMemberData(userName); //create cookie here HttpCookie aCookie = new HttpCookie("userInfo"); aCookie.Values["userName"] = MemberData.UserName; aCookie.Values["passWord"] = MemberData.PassWord; aCookie.Values["lastVisit"] = DateTime.Now.ToString(); aCookie.Expires = DateTime.Now.AddDays(60); //add cookie to response. Response.Cookies.Add(aCookie); //create session LoadSessionID(); Session.LoggedIn = true; Session.DisplayName = MemberData.UserName; Session.LastAcess = DateTime.Now; Response.Redirect("account.aspx"); } Code (markup): Now you can see i create the cookie 'userInfo' and i add it to the http response, the problem is that the cookie seems to disappear. I have no idea why, It should not expires, I have it set to 60 days. I open the browser and the cookie is in my browser after it says i have been logged out. Here is where i request the cookie and recycle the session so the user remains logged in On every page i loadSessionID(), what this function attempts to do is takes the SessionID for the current user context and then requests the "userInfo" cookie that was created by the login page, it then reads the data from that cookie and sets the current sessions object UserSession with that data here is a look at the code for that: /// <summary> /// Load Current User Session ID /// </summary> public void LoadSessionID() { //key the session id for this user SessionID = HttpContext.Current.Session.SessionID; //check if session was added if (Sessions.ContainsKey(SessionID)) { //check if cookie exists if (HttpContext.Current.Request.Cookies["userInfo"] != null) { string username = HttpContext.Current.Request.Cookies["userInfo"]["userName"]; string password = HttpContext.Current.Request.Cookies["userInfo"]["passWord"]; string lastAccessed = HttpContext.Current.Request.Cookies["userInfo"]["lastVisit"]; DateTime Expires = HttpContext.Current.Request.Cookies["userInfo"].Expires; SessionID = HttpContext.Current.Session.SessionID; Session.LoggedIn = true; Session.DisplayName = username; Session.Pass = password; Session.LastAcess = DateTime.Now; Session.Name = username; } } else { SessionID = HttpContext.Current.Session.SessionID; if (!Sessions.ContainsKey(SessionID)) Sessions.Add(SessionID, new UserSession(SessionID)); } } /// <summary> /// Current User Session ID /// </summary> public string SessionID; /// <summary> /// Current User Session /// </summary> public UserSession Session { get { if (Sessions.ContainsKey(SessionID)) return Sessions[SessionID]; else return null; } set { Sessions[SessionID] = value; } } Code (markup): The cookie dies. The user is logged out. Please help if you want to see the bug in action visit hitplay.net/login.aspx login info: test/test i will send $30 to whoever can fix it msn:
i fixed this myself. what i did was store the cookie on my server and match them by user host address. here is how i fixed it if anybody is interested public void LoadSessionID() { //key the session id for this user SessionID = HttpContext.Current.Session.SessionID; string s = DirPath; string IP = HttpContext.Current.Request.UserHostAddress; FileInfo[] Users = GetSavedUsers; UserData CurrentUser = GetUserDataByIpAddress(IP); //User Found, Log him back in if (CurrentUser != null) { bool IsAdmin = ((int)CurrentUser.Value == 1) ? true : false; if (!Sessions.ContainsKey(SessionID)) { Sessions.Add(SessionID, new UserSession(SessionID) { Banned = false, LoggedIn = true, LastAcess = DateTime.Now, DisplayName = CurrentUser.UserName, IsAdmin = IsAdmin, Name = CurrentUser.UserName }); } else { if (CurrentUser != null) { Sessions[SessionID].LoggedIn = true; Sessions[SessionID].LastAcess = DateTime.Now; Sessions[SessionID].DisplayName = CurrentUser.UserName; Sessions[SessionID].Name = CurrentUser.UserName; } } } else { //User not found, Create a new session for him. if (!Sessions.ContainsKey(SessionID)) Sessions.Add(SessionID, new UserSession(SessionID)); } } Code (markup): thanks anyways
With the method that you have used, doesn't that mean that anyone with the same IP will be logged in automatically to the previous users account if they have not logged out? So people using proxies will automatically be logged in if someone, on the same proxy, has logged in before them... Or even people that are sharing a network such as a public wifi, or work/school LAN? This may not ever happen, and probably isn't that big of an issue because it's not like your a bank or anything, but it could still be an issue...
hm your right, but i make it so both users are logged out if two have the same ip, so one would have to log back in and get validated, and the one with the correct creds would get thru. do you have a better idea? i cant get the cookie issue working so that's why i did it this way
I will have a look at it shortly. I mainly use VB but can still understand C#. I tested it by logging in on my pc and then opened up the oage on a different computer (same network) and was already logged in... which isn't what you want.