Losing ASP session variables, or so I think

I have开发者_Python百科 a relatively simple ASP.Net application that I have built some simplistic security into. The user logs in with a username and password and I check it against the DB. If it is successful I store a User object for them on a session variable called "UserID" and redirect them to the same page, only this time they dont see the login panel. (Mmm could just hide it dynamically but I think that would cause a page reload anyway)

On my Default.aspx page I have the following code:

protected void Page_Load(object sender, EventArgs e)
{
    if (Session["UserID"] == null)
    {
        LoginPanel.Visible = true;
    }
}

protected void btnLogin_Click(object sender, EventArgs e)
{
    Security security = new Security();
    Session["UserID"] = security.LoginUser(txtUsername.Text, txt2Password.Value);
    if (Session["UserID"] != null)
    {                
        Response.Redirect("~/default.aspx");
    }
}

Right, so far so good. Also worth mentioning at this point is the master page:

protected void Page_Load(object sender, EventArgs e)
{
    if (Session["UserID"] == null)
    {
        //Check that we are not already on the default.aspx page.
        //Don't want to cause infinite redirect here
        if (!Request.Path.ToLower().Contains("default.aspx"))
        {
            Page.Response.Redirect("~/Default.aspx");
        }
    }
    else
    {
        //Otherwise we get the UserObject from the session and display menu items           //based on the role. Nothing fancy.

    }


}

//Bad naming. This a logout link on the master...
protected void Unnamed1_Click(object sender, EventArgs e)
{    
    Session["UserID"] = null;
    Page.Response.Redirect("~/Default.aspx");
}

Now all of this works perfectly on my local instance of IIS. As soon as I deploy this to our production server and I click on one of my menu items and navigate say to Search.aspx it chucks me back to my Default.aspx page with the LoginPanel visible??? Also that is in Firefox. With IE I can click on the Search.aspx menu link and it takes me to the page, but clicking on an edit link in my GridView also chucks me back to the Default.aspx page with the LoginPanel showing.

I'm no ASP.net expert at all and I'm at wits end. So please word Answers with as little as possible jargon and so forth and post links to msdn for docs and such so that I don't just resolve this, but actually understand why this has been giving me nightmares.

TIA

Don't store user identifiers or other sensitive information in the session, implement IIdentity and IPrincipal with Forms authentication instead (though this doesn't completely rule out information exposure altogether).

This enables easy access to certain elements in the nature of what you need:

//to sign-in:
FormsAuthentication.SignIn("username", createPersistentLogin);

//to sign-out:
FormsAuthentication.SignOut();

//user data access:
Page.User.IsInRole("requiredRole");

Page.User.Identity.IsAuthenticated;

Page.User.Name;

A couple of snippets from MSDN to explain the meaning of this:

The .NET Framework provides a role-based security implementation in the System.Security.Principal namespace, which you can use for authorizing and authenticating users in your application.

An IIdentity encapsulates an authenticated user. An IPrincipal is a combination of the identity of the user and any roles he or she has. You can use the predefined identity and principal classes in the System.Security.Principal namespace or you can add custom authentication by creating classes that implement the interfaces.

Care should be used when granting permissions to work with IIdentity objects, because these objects make sensitive user-related information available. You should protect the application's current IPrincipal object from changes because the application's authorization capability is based on its current principal.

You can get information on doing this from MSDN.

maybe a bit off topic but I would recommend to use built in login functionality, that means Login Controls, Membership and Authentication. Then you don't have to mess with Session

http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx

then you can do Membership.GetUser().ProviderUserKey for example to get the key

Verify if in your production server the Web.Config file of your site contains this line, or something like this :

<sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="20" />

It must be inside element.

It is to verify wich sessionState are you using.

See the link : Asp.NET Session State