How to handle session invalidation and page Access Permissions

My development environment is vs2008.

 

1. How to set the session expiration time

Add the following configuration information after <Authentication mode = "Windows"/> in Web. config:

 

<Sessionstate mode = "StateServer" stateconnectionstring = "TCPIP = 127.0.0.1: 42424" sqlconnectionstring = "Data Source = 127.0.0.1; trusted_connection = yes" cookieless = "false" timeout = "30"/>

Set the session expiration time to 30 minutes.

 

2. How to log on to the logon page again when the session fails

 

A: My previous thoughts on this issue are as follows:

If there is something similar to a trigger, when the session fails, the trigger will be triggered directly, and you will jump to the logon interface to log on again,

But I don't know if this method can be implemented. If you have any trouble communicating the implementation method, thank you first.

 

B: Here is the solution:

First, write a public class basepage and override the oninit method of this class;

Then, let each page inherit the public class basepage.

1) the newly created public class basepage code is as follows:

Public class basepage: system. web. UI. page <br/> {<br/> Public basepage () <br/> {<br/> // todo: add the constructor logic here <br/> // <br/>}< br/> protected override void oninit (eventargs E) <br/> {<br/> If (session ["loginname"] = NULL | session ["loginname"] = "" | session ["logindegree"] = NULL | session ["logindegree"]. tostring () = "") <br/>{< br/> response. redirect ("~ /Error. aspx "); <br/> response. end (); <br/>}< br/> else <br/>{</P> <p >}< br/>}

Note: When a user logs on, the user name and user level are stored in the session.

2) each page inherits this base class basepage

Note: In the background of each page, the format is public partial class _ default: system. Web. UI. Page.

Change to public partial class _ default: basepage.

Due to framework restrictions, when the session fails, you can jump to the "error. aspx" transition page first, and then go to the logon page through this page.

 

C: This method is not safe. If there is a page (a), only the super administrator can operate it, and no other operator can access it,

If an operator logs on to the system and the session does not expire, simply put the link address of page A (provided that the address of page a is known) in the address bar, you can also log on to page A, which is insecure.

 

3. How to Ensure the access permissions of different users to the page

For this problem, I wrote another method "bool iserror (INT logindegree, int userid, string modulename )"

This method includes the user's level logindegree, the user's ID userid, and the module name modulename.

This method is called in the page_load method of each page. If the user has the permission to log on to this module, the logon page is displayed.

In this way, there will be no security issues in 2.