Friday, 20 April 2007

Session state != Logged in user

Did something a bit daft yesterday, thankfully it didnt take me long to realise!

I have a web site which uses both windows and forms authentication, I link them together by a table called tblUsers which basically looks like this:-

ID AuthenticationType LoginName
1 Forms r_dargan
2 NTLM s_jones
(Sorry for the crappy table... getting more and more sick of blogger!)

I then have a security business object which basically does the following:-


public int GetUserID()
{
if(Session["UserID"] == null)
{
//Get the user ID, and set Session["UserID"]
}
return int.Parse(Session["UserID"].toString());
}
The Problem:
This works great until one user logs out and another logs in on the same browser. What was happening was that the userID was persisting across logged in users.

The reason for this is because Session run across a browser session, not a users logged in session, so Session["UserID"] was not nulled when the user logged out.

The Solution:
Quite easy actually, I added an event to the "logging out" event on the logout control which cleared the session! (Session.Clear())

Enjoy

Ross

No comments: