ASP.NET c# - Cookies problem

Ok, let me try to explain my problem the best way i can.


I have a site, hitplay.net

When a member logs into the site with there username and password
i create a cookie for them.

the code that does this is

 if (Validated)
        {
           MasterPage.MemberShip MemberData = Master.GetMemberData(userName);




            //create cookie here
           HttpCookie aCookie = new HttpCookie("userInfo");
           aCookie.Values["userName"] = MemberData.UserName;
           aCookie.Values["passWord"] = MemberData.PassWord;
           aCookie.Values["lastVisit"] = DateTime.Now.ToString();
           aCookie.Expires = DateTime.Now.AddDays(60);



           //add cookie to response.
           Response.Cookies.Add(aCookie);


            //create session
            LoadSessionID();
            Session.LoggedIn = true;
            Session.DisplayName = MemberData.UserName;
            Session.LastAcess = DateTime.Now;
            Response.Redirect("account.aspx");

        }

Code (markup):

Now you can see i create the cookie 'userInfo' and i add it to the http response, the problem is that the cookie seems to disappear. I have no idea why, It should not expires, I have it set to 60 days.

I open the browser and the cookie is in my browser after it says i have been logged out.



Here is where i request the cookie and recycle the session so the user remains logged in


On every page i loadSessionID(), what this function attempts to do is takes the SessionID for the current user context and then requests the "userInfo" cookie that was created by the login page, it then reads the data from that cookie and sets the current sessions object UserSession with that data

here is a look at the code for that:

    /// <summary>
    /// Load Current User Session ID
    /// </summary>
    public void LoadSessionID()
    {

        //key the session id for this user
        SessionID = HttpContext.Current.Session.SessionID;

        //check if session was added
        if (Sessions.ContainsKey(SessionID))
        {
            //check if cookie exists
            if (HttpContext.Current.Request.Cookies["userInfo"] != null)
            {
                string username = HttpContext.Current.Request.Cookies["userInfo"]["userName"];
                string password = HttpContext.Current.Request.Cookies["userInfo"]["passWord"];
                string lastAccessed = HttpContext.Current.Request.Cookies["userInfo"]["lastVisit"];
                DateTime Expires = HttpContext.Current.Request.Cookies["userInfo"].Expires;
                SessionID = HttpContext.Current.Session.SessionID;

                Session.LoggedIn = true;
                Session.DisplayName = username;
                Session.Pass = password;
                Session.LastAcess = DateTime.Now;
                Session.Name = username;
            }
        }
        else
        {
            SessionID = HttpContext.Current.Session.SessionID;
            if (!Sessions.ContainsKey(SessionID))
                Sessions.Add(SessionID, new UserSession(SessionID));
        }
    }

    /// <summary>
    /// Current User Session ID
    /// </summary>
    public string SessionID;

    /// <summary>
    /// Current User Session
    /// </summary>
    public UserSession Session
    {
        get
        {
            if (Sessions.ContainsKey(SessionID))
                return Sessions[SessionID];
            else return null;

        }
        set
        {
            Sessions[SessionID] = value;
        }
    }

Code (markup):

The cookie dies. The user is logged out. Please help

if you want to see the bug in action visit hitplay.net/login.aspx
login info: test/test


i will send $30 to whoever can fix it
msn:

 

whirlpool ride i \m on

 

i fixed this myself. what i did was store the cookie on my server and match them by user host address.

here is how i fixed it if anybody is interested

public void LoadSessionID()
    {
        //key the session id for this user
        SessionID = HttpContext.Current.Session.SessionID;

        string s = DirPath;
        string IP = HttpContext.Current.Request.UserHostAddress;
        FileInfo[] Users = GetSavedUsers;
        UserData CurrentUser = GetUserDataByIpAddress(IP);

        //User Found, Log him back in
        if (CurrentUser != null)
        {
            bool IsAdmin = ((int)CurrentUser.Value == 1) ? true : false;
            if (!Sessions.ContainsKey(SessionID))
            {
                Sessions.Add(SessionID, new UserSession(SessionID)
                {
                    Banned = false,
                    LoggedIn = true,
                    LastAcess = DateTime.Now,
                    DisplayName = CurrentUser.UserName,
                    IsAdmin = IsAdmin,
                    Name = CurrentUser.UserName
                });
            }
            else
            {
                if (CurrentUser != null)
                {
                    Sessions[SessionID].LoggedIn = true;
                    Sessions[SessionID].LastAcess = DateTime.Now;
                    Sessions[SessionID].DisplayName = CurrentUser.UserName;
                    Sessions[SessionID].Name = CurrentUser.UserName;
                }
            }
        }
        else
        {
            //User not found, Create a new session for him.
            if (!Sessions.ContainsKey(SessionID))
                Sessions.Add(SessionID, new UserSession(SessionID));
        }
    }

Code (markup):

thanks anyways

 

With the method that you have used, doesn't that mean that anyone with the same IP will be logged in automatically to the previous users account if they have not logged out? So people using proxies will automatically be logged in if someone, on the same proxy, has logged in before them... Or even people that are sharing a network such as a public wifi, or work/school LAN? This may not ever happen, and probably isn't that big of an issue because it's not like your a bank or anything, but it could still be an issue...

 

hm your right, but i make it so both users are logged out if two have the same ip, so one would have to log back in and get validated, and the one with the correct creds would get thru.

do you have a better idea? i cant get the cookie issue working so that's why i did it this way

 

I will have a look at it shortly. I mainly use VB but can still understand C#.
I tested it by logging in on my pc and then opened up the oage on a different computer (same network) and was already logged in... which isn't what you want.

 

Just check whetehr your browser is supporting cookies or not

 

any decent browser supports cookies... it's just a matter of whether they are enabled.