deungelmaigy
New Member
In my ASP.NET C# website I am attempting to use Sessions to allow users to log in and navigate throughout the secure pages while the session is valid. If for whatever reason they timeout or sign out, they are to be redirected to the landing page. Currently the site only allows one user to be logged in at a time. It seems apparent that the session information is being stored incorrectly, but I don't understand where or why this occurs. If you access the page using another browser, you can see the code pulling information out of the session (like the username) that it should not know.I want to allow multiple valid users to be logged in simultaneously and have no adverse affect on each other while doing so. If you need further information than the code samples I post below, please ask.My Login page:\[code\]//Login.ascx.cs...private void Login_Click(object sender, EventArgs e){ if (sender == null || e == null) { throw new ArgumentNullException("Null Exception: Login_Click"); } User user = new User(); user.Login(_username.Text, _password.Text); if (user.IsValid() && user.GetIsUser() != false) { user.Save(); Session["Username"] = _username.Text; Response.Redirect("Secure/Default.aspx"); } else { DisplayErrors(user._validationErrors); } _errors.Text = errorMessage;}\[/code\]The welcome page (first secure page a user sees)\[code\]private void Page_Load(object sender, System.EventArgs e){ Business.User user = new Business.User(); _labelUsername.Text = MySession.Current.Username; _labelCompanyId.Text = MySession.Current.CompanyId; redirectLogin = "../Default.aspx"; //redirect if any conditions fail for user validation. if (sessionKey != MySession.GetSessionId() || (string)Session["Username"] != _labelUsername.Text) { Response.Redirect(redirectLogin); } else { Debug.WriteLine("Welcome SUCCESS: " + _labelUsername.Text); Debug.WriteLine("Welcome " + sessionKey); } }\[/code\]And finally the User page that includes SQL Query\[code\]public static string dataUsername;public static string dataCompanyId;private const string _getUserByUsernameQuery = @"SELECT [User].[username], [Company].[name]FROM [User] WITH (NOLOCK) INNER JOIN [Company] WITH (NOLOCK)ON [User].[companyId] = [Company].[id]WHERE [User].[username] = @username AND [User].[password] = @password";private string _username;private string _companyid;public User(){}public void Login (string username, string password){ using (SqlConnection connection = new SqlConnection(SQLConfiguration.ConnectionString)) { SqlCommand command = new SqlCommand(_getUserByUsernameQuery, connection); command.Parameters.AddWithValue("@username", username); command.Parameters.AddWithValue("@password", password); connection.Open(); using (SqlDataReader reader = command.ExecuteReader()) { if (reader.Read()) { Username = Convert.ToString(reader["username"]); CompanyId = Convert.ToString(reader["name"]); dataUsername = Username; dataCompanyId = CompanyId; } } }}#region Propertiespublic string Username{ get{ return _username; } set{ _username = value;}}public string CompanyId{ get{ return _companyid;} set{ _companyid = value;}}#endregion\[/code\]EDIT: In response to some of the questions:\[code\]//in the first accessed page for secure users, before 'Page_load'public static string sessionKey { get { return MySession.GetSessionId(); } }...//in my 'MySession' classpublic static string GetSessionId(){ return System.Web.HttpContext.Current.Session.SessionID;}\[/code\]