locked
Accessing different database based on the username RRS feed

  • Question

  • User-56991817 posted

    Hello,


    I am working on a website where when the user logs in, I select their database based on their username. Currently I have a list of all databases in the web.config and I select the Database ID from the username and then read the database string from web.config. What is the most optimal way to implement this scenario?

    currently I:

    - store the Database ID in the session object

    - the Session object expires after like 5 minutes so i have to read the Database ID from the online database based on the username and regenerate the Session["DatabaseID"] again.

    - there are some security issues with the Session ID, so I started clearing the Session in !(Page.IsPostBack) and I generate the Database string again.


    Where shall I store the DatabaseID and the database connection string so I can easily reuse it once the user has logged in?


    Wednesday, December 1, 2010 6:06 PM

Answers

  • User-952121411 posted

    Then I closed the browser window, I opened a new  browser window  , navigated to the site and logged in and the database ID and string was there! It had saved the Session info somehow on the local computer. I don't know how the Session object is saved and why is it still there when I close the webpage.
     

    Session is determines on the server not the client. Therefore the action of closing the browser does not abandon the session.  The session is timed out on the server based on its timeout value.  It is also important to realize that session can be persisted between tabs in a browser.  If a user opens a new tab and re-navigates to the same site, all of the session values will be persisted which sometimes is not the desired affect.

    Upon opening a new browser a new SessionID should be requested, but to ensure that all session values are beginning with their default values, you should initialize them at minimum within the Session_Start event in the Global.asax file.  The following is an example of what I am stating:

        Sub Session_Start(ByVal sender As Object, ByVal e As EventArgs)
            ' Fires when the session is started
    
            Session.Add("MyIntValue1", 0)
            Session.Add("MyData1", Nothing)
            Session.Add("MyData2", Nothing)
            Session.Add("MyString1", String.Empty)
            
        End Sub


    The above code ensures when a new session is requested, that all session values are initialized to their default values.  You should probably read up a little on how session state works in ASP.NET as well to help with understanding:

    ASP.NET Session State:

    http://msdn.microsoft.com/en-us/library/ms972429.aspx

     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, December 6, 2010 10:53 AM

All replies

  • User-2135385890 posted

    You could store it in an encrypted cookie but that would pause the same security issues as the session (which uses cookies as well). For the cookie, you could set the expiry date to be longer so that it doesn't expire withing 5min.

    Wednesday, December 1, 2010 8:17 PM
  • User-525215917 posted

    Session ID is the only connection between client and server. You can keep connection name or ID in session. Session variables are not sent to client because they are kept in session store in server. You can keep your connection strings in web.config file and you can encrypt them. You can find more about encrypting connection strings here: http://msdn.microsoft.com/en-us/library/ff647398.aspx

    Thursday, December 2, 2010 4:29 AM
  • User-56991817 posted

    How can I set the expiration of the cookie? I change the Session State Time out in IIS to 30 min and whatever I store in the Session object still is deleted after 5 minutes


    Friday, December 3, 2010 8:20 PM
  • User-56991817 posted

    It happen on one computer i used for testing. I logged in, so the database Id was stored in the Session object. Then I closed the browser window, I opened a new  browser window  , navigated to the site and logged in and the database ID and string was there! It had saved the Session info somehow on the local computer. I don't know how the Session object is saved and why is it still there when I close the webpage.


    Friday, December 3, 2010 8:23 PM
  • User-987742388 posted

    i suggest you to create a central database that can store your other databases ID and users accounts 

    Friday, December 3, 2010 10:25 PM
  • User-699953111 posted

    If u develop with a object model add a propery to the user (databaseID).
    If u know the user in session u know the database id.

    U can store the user in session variable or in cookie.


    Monday, December 6, 2010 8:26 AM
  • User-1598917946 posted

    What i would suggest you is to create a Master User database table and check the database name in that table and after that return the name if it is same as your connection string and then fetch it and use State Management or context for the same after that for added security this way you don't have to worry about session

    Monday, December 6, 2010 8:40 AM
  • User-952121411 posted

    Then I closed the browser window, I opened a new  browser window  , navigated to the site and logged in and the database ID and string was there! It had saved the Session info somehow on the local computer. I don't know how the Session object is saved and why is it still there when I close the webpage.
     

    Session is determines on the server not the client. Therefore the action of closing the browser does not abandon the session.  The session is timed out on the server based on its timeout value.  It is also important to realize that session can be persisted between tabs in a browser.  If a user opens a new tab and re-navigates to the same site, all of the session values will be persisted which sometimes is not the desired affect.

    Upon opening a new browser a new SessionID should be requested, but to ensure that all session values are beginning with their default values, you should initialize them at minimum within the Session_Start event in the Global.asax file.  The following is an example of what I am stating:

        Sub Session_Start(ByVal sender As Object, ByVal e As EventArgs)
            ' Fires when the session is started
    
            Session.Add("MyIntValue1", 0)
            Session.Add("MyData1", Nothing)
            Session.Add("MyData2", Nothing)
            Session.Add("MyString1", String.Empty)
            
        End Sub


    The above code ensures when a new session is requested, that all session values are initialized to their default values.  You should probably read up a little on how session state works in ASP.NET as well to help with understanding:

    ASP.NET Session State:

    http://msdn.microsoft.com/en-us/library/ms972429.aspx

     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, December 6, 2010 10:53 AM