After change SessionID data in Session variables is lost

时间：2020-06-22 19:41:23 阅读：85 评论：0 收藏：0 [点我收藏+]

标签：using create instance adl page eve question div tps

After change SessionID data in Session variables is lost

Command "Manager.SaveSessionID" will remove all data of old sessionid. There is only one way to keep data. It‘s manual move data. You use the function below into login button:

...
using System.Web.SessionState;
using System.Reflection;

protected void ReGenerateSessionId()
    {
        SessionIDManager manager = new SessionIDManager();
        string oldId = manager.GetSessionID(Context);
        string newId = manager.CreateSessionID(Context);
        bool isAdd = false, isRedir = false;
        manager.RemoveSessionID(Context);
        manager.SaveSessionID(Context, newId, out isRedir, out isAdd);

        HttpApplication ctx = (HttpApplication)HttpContext.Current.ApplicationInstance;
        HttpModuleCollection mods = ctx.Modules;
        System.Web.SessionState.SessionStateModule ssm = (SessionStateModule)mods.Get("Session");
        System.Reflection.FieldInfo[] fields = ssm.GetType().GetFields(BindingFlags.NonPublic | BindingFlags.Instance);
        SessionStateStoreProviderBase store = null;
        System.Reflection.FieldInfo rqIdField = null, rqLockIdField = null, rqStateNotFoundField = null;

        SessionStateStoreData rqItem = null;
        foreach (System.Reflection.FieldInfo field in fields)
        {
            if (field.Name.Equals("_store")) store = (SessionStateStoreProviderBase)field.GetValue(ssm);
            if (field.Name.Equals("_rqId")) rqIdField = field;
            if (field.Name.Equals("_rqLockId")) rqLockIdField = field;
            if (field.Name.Equals("_rqSessionStateNotFound")) rqStateNotFoundField = field;

            if ((field.Name.Equals("_rqItem")))
            {
                rqItem = (SessionStateStoreData)field.GetValue(ssm);
            }
        }
        object lockId = rqLockIdField.GetValue(ssm);

        if ((lockId != null) && (oldId != null))
        {
            store.RemoveItem(Context, oldId, lockId, rqItem);
        }

        rqStateNotFoundField.SetValue(ssm, true);
        rqIdField.SetValue(ssm, newId);
    }

protected void Login_Click(object sender, EventArgs e)
{
    if (/*Login success*/)
    {
        ReGenerateSessionId(); // Change SessionID
        Session["User"] = user;
        Response.Redirect("Login_Success.aspx", true);
    }
}

https://www.codeproject.com/Articles/210993/Session-Fixation-vulnerability-in-ASP-NET

protected void Page_Load(object sender, EventArgs e)
{
    if (Session["LoggedIn"] != null)
    {
        lblMessage.Text = "Congratulations !, you are logged in.";
        lblMessage.ForeColor = System.Drawing.Color.Green;
        btnLogout.Visible = true;
    }
    else
    {
        lblMessage.Text = "You are not logged in.";
        lblMessage.ForeColor = System.Drawing.Color.Red;
    }
}

protected void LoginMe(object sender, EventArgs e)
{
    // Check for Username and password (hard coded for this demo)
    if (txtU.Text.Trim().Equals("u") && txtP.Text.Trim().Equals("p"))
    {
        Session["LoggedIn"] = txtU.Text.Trim();
    }
    else
    {
        lblMessage.Text = "Wrong username or password";
    }
}

protected void LogoutMe(object sender, EventArgs e)
{
    Session.Clear();
    Session.Abandon();
    Session.RemoveAll();
}

After change SessionID data in Session variables is lost

标签：using create instance adl page eve question div tps

原文地址：https://www.cnblogs.com/chucklu/p/13178171.html

踩

(0)

评论一句话评论（0）

分享档案

更多>

2021年07月29日 (22)
2021年07月28日 (40)
2021年07月27日 (32)
2021年07月26日 (79)
2021年07月23日 (29)
2021年07月22日 (30)
2021年07月21日 (42)
2021年07月20日 (16)
2021年07月19日 (90)
2021年07月16日 (35)

周排行