Lost session/cookie when login as another user

Question

I am building dnn module which allow logged in user to log in as another user.
But I have some wired issue here.
This is how I log out current user and login as another user:

UserInfo userInfo = UserController.GetUserById(portalId, userId);
if (userInfo != null)
{                
    DataCache.ClearUserCache(this.PortalSettings.PortalId, Context.User.Identity.Name);

    if (Session["super_userId"] == null)
    {
        Session["super_userId"] = this.UserId;
        Session["super_username"] = this.UserInfo.Username;
    }

    HttpCookie impersonatorCookie = new HttpCookie("cookieName");
    impersonatorCookie.Expires = DateTime.Now.AddHours(1);
    Response.Cookies.Add(impersonatorCookie);

    Response.Cookies["cookieName"]["super_userId"] = this.UserId.ToString();
    Response.Cookies["cookieName"]["super_username"] = this.UserInfo.Username;

    PortalSecurity objPortalSecurity = new PortalSecurity();
    objPortalSecurity.SignOut();

    UserController.UserLogin(portalId, userInfo, this.PortalSettings.PortalName, Request.UserHostAddress, false);

    Response.Redirect(Request.RawUrl, true);
}

And in PageLoad() I try to read value from this cookie but it doesn't read anything:

try
{
    string super_userId = Request.Cookies["cookieName"]["super_userId"];
    string super_username = Request.Cookies["cookieName"]["super_username"];

    if (!String.IsNullOrEmpty(super_userId))
    {
        this.Visible = true;
        this.lblSuperUsername.Text = Session["super_username"].ToString();
        this.txtPassword.Enabled = true;
        this.btnBackToMyAccount.Enabled = true;
    }
...

I also have tried to do the same with session but nothing works, and I can't figure why?

Have you stepped through to code and made certain that UserInfo and UserId contain valid values when assigning them to session/cookie? — CheckRaise, Dec 20 '12 at 22:15
Have you used a tool such as Fiddler to verify if the cookie is being sent from server to the browser in the resonse? — user1429080, Dec 21 '12 at 18:05

score 5 · Answer 1 · edited May 23 '17 at 12:18

5

As I find here, there can be problems with setting cookies in a request that gets redirected, and here is stated that cookies won't get set with a redirect when their domain is not /.

So you can try to not redirect using HTTP headers, but show a "Logged In" page instead that contains a "Home" link and a meta refresh or Javascript redirect.

By the way, setting a UserID in a cookie is not really the way to go. What if I change that cookie value to 1?

edited May 23 '17 at 12:18

Community

1
1

answered Dec 20 '12 at 21:43

CodeCaster

147,647
23
218
272

2

@1110 To comment on CodeCaster's suggesion, you should consider storing just a session ID in the cookie, and keeping relevant data about that session in your local application variables, such as UserID, etc... But that does not answer your direct question of how to read the existing cookie on re-direct. – EtherDragon Dec 20 '12 at 22:27
There is one wired thing that confuses me. In my local instalation of dotnetnuke it works (with session and cookie) but when I put on live server it doesn't :( – 1110 Dec 21 '12 at 07:45
localhost/dnn/mysite works but mysite.com (is not a root portal) doesn't. – 1110 Dec 27 '12 at 07:27
@1110 I cannot test it now, but according to the links in my answer a cookie cannot be set during a non-root redirect. So set the cookies' domain to "/" or try it with a "logged in" page. – CodeCaster Dec 27 '12 at 21:44

score 1 · Answer 2 · edited May 23 '17 at 12:27

I suggest when you set a new cookie to always set the Domain, and probably and the Expires.

Response.Cookies[cookieName].Domain = RootURL;
Response.Cookies[cookieName].Expires = DateTime.UtcNow.AddDays(cDaysToKeep);

The domain is very importan to be the url with out the subdomain, eg only the mydomain.com with out the www. because if a cookie is set from www.mydomain.com and you try to read it from mydomain.com or vice versa, then the cookie will not be read and you may lost it / overwrite it.

So I suggest to make a function that when you set a cookie, you set at least 3 parametres, the Domain, the Expires, and the Value.

Similar questions and answers :
Multiple applications using same login database logging each other out
asp.net forms authentication logged out when logged into another instance

score 0 · Answer 3 · answered Dec 27 '12 at 11:13

Put these two statements

Response.Cookies["cookieName"]["super_userId"] = this.UserId.ToString();
Response.Cookies["cookieName"]["super_username"] = this.UserInfo.Username;

after

UserController.UserLogin(portalId, userInfo, this.PortalSettings.PortalName, Request.UserHostAddress, false);

May be the UserLogin method is resetting the Session variables. Hope it Helps :)

Lost session/cookie when login as another user

3 Answers3

Linked