gsn
asked on
Reset Session ID
Isn't it true that with session.abandon a new SessionID should be created, or is my asumption wrong? If I'm wrong, how would you go about assigning a new SessionID?
Thanx a bundle!
Thanx a bundle!
ASKER
Adjusted points to 75
ASKER
robbert,
sorry, your answer is ok, however it was my fault: I wasn't clear enough. Would you mind giving me an example? I just created two pages:
========================
Page1:
========================
<%
If request.querystring("go") = "yes" Then
session.abandon
response.redirect("test2.a
End If
%>
<html>
<head>
<title>Test Page</title>
</head>
<body>
<%= session.sessionID%><BR><BR
<a href="test.asp?go=yes">GO<
</body>
</html>
========================
Page 2:
========================
<html>
<head>
<title>Test Page 2</title>
</head>
<body><%= session.sessionID%><BR><BR
</body>
</html>
========================
Shouldn't I get a different SessionID on the second page?
(I increased the points a bit...)
Thanks again!
G.
sorry, your answer is ok, however it was my fault: I wasn't clear enough. Would you mind giving me an example? I just created two pages:
========================
Page1:
========================
<%
If request.querystring("go") = "yes" Then
session.abandon
response.redirect("test2.a
End If
%>
<html>
<head>
<title>Test Page</title>
</head>
<body>
<%= session.sessionID%><BR><BR
<a href="test.asp?go=yes">GO<
</body>
</html>
========================
Page 2:
========================
<html>
<head>
<title>Test Page 2</title>
</head>
<body><%= session.sessionID%><BR><BR
</body>
</html>
========================
Shouldn't I get a different SessionID on the second page?
(I increased the points a bit...)
Thanks again!
G.
gsn,
I am sorry; my answer was not correct, and it was good to reject it.
I found out that Session.Abandon deletes everything in Session.Contents, but the Session.SessionID will remain the same.
If you need a new SessionID, there are two ways;
- holding your own-made SessionID through querystring (or whatever)
- deleting all you bindings, refering to the existing SessionID, and, therefore, being able to regard the maintained SessionID as "new".
What's your problem, exactly?
I am sorry; my answer was not correct, and it was good to reject it.
I found out that Session.Abandon deletes everything in Session.Contents, but the Session.SessionID will remain the same.
If you need a new SessionID, there are two ways;
- holding your own-made SessionID through querystring (or whatever)
- deleting all you bindings, refering to the existing SessionID, and, therefore, being able to regard the maintained SessionID as "new".
What's your problem, exactly?
ASKER
robbert,
Here's exactly what my problem is:
People register for an event on "registration.asp" that loops through different sections of the page depending on their answers and what kind of event they register for. The first time a record is created (INSERT INTO...) with the sessionID referencing the session (obviously...) and each time the user advances to the next section it updates the particular recordset (UPDATE ... WHERE SessID = strSessID. If strSessID is "" then the program assumes a new user, adds a new recordset and starts from the beginning). If the user goes back (hits the back-button) the program reads from the db (WHERE SessID = strSessID) and displays the entries in the fields for editing. At the end the user has the chance to view all his/her entries once more and hit a final Done button which fires off an email confirming the deal and locks the recordset (it actually sets the field "MailSent" to True which prevents the recordset from being edited.) Now, since the program compares the sessionID to an existing SessID in the database and also sees that the confirmation email has been sent it will not allow the user to register an additional event (unless he/she closes all of the browser windows and starts over...) - which is intended. Does that make my problem somewhat clear... ;-)
I am sure that there are ways around, however, the question remains: can you reset the sessionID somehow?
Thanx a bundle!
G.
Here's exactly what my problem is:
People register for an event on "registration.asp" that loops through different sections of the page depending on their answers and what kind of event they register for. The first time a record is created (INSERT INTO...) with the sessionID referencing the session (obviously...) and each time the user advances to the next section it updates the particular recordset (UPDATE ... WHERE SessID = strSessID. If strSessID is "" then the program assumes a new user, adds a new recordset and starts from the beginning). If the user goes back (hits the back-button) the program reads from the db (WHERE SessID = strSessID) and displays the entries in the fields for editing. At the end the user has the chance to view all his/her entries once more and hit a final Done button which fires off an email confirming the deal and locks the recordset (it actually sets the field "MailSent" to True which prevents the recordset from being edited.) Now, since the program compares the sessionID to an existing SessID in the database and also sees that the confirmation email has been sent it will not allow the user to register an additional event (unless he/she closes all of the browser windows and starts over...) - which is intended. Does that make my problem somewhat clear... ;-)
I am sure that there are ways around, however, the question remains: can you reset the sessionID somehow?
Thanx a bundle!
G.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You may write
<%
If request.querystring("go") = "yes" Then
session.abandon
' Because it require end of page
%>
<html><body onLoad="window.open('test2
<%Else%>
.... Main page ...
<%End If%>
Good luck
<%
If request.querystring("go") = "yes" Then
session.abandon
' Because it require end of page
%>
<html><body onLoad="window.open('test2
<%Else%>
.... Main page ...
<%End If%>
Good luck
You need to use Hidden variables or Database to solve this type of problem. Depending on the SessionID is not a good choice. After you use Session.Abandon, the session ids are not available and is equalent to <@ENABLESESSIONSATE=false>
robbert is 100% correct...Microsofts own info states the following:
"After storing the SessionID cookie in the user's browser, ASP reuses the same cookie to track the session, even if the user requests another .asp file, or requests an .asp file running in other application. Likewise, if the user deliberately abandons or lets the session timeout, and then proceeds to request another .asp file, ASP begins a new session using the same cookie. The only time a user receives a new SessionID cookie is when the server administrator restarts the server, thus clearing the SessionID settings stored in memory, or the user restarts the Web browser."
Microsoft states that sessionID's are not meant for tracking purposes...Therfore I agree with robbert that you must create and manage your own sessionID...FWIW
"After storing the SessionID cookie in the user's browser, ASP reuses the same cookie to track the session, even if the user requests another .asp file, or requests an .asp file running in other application. Likewise, if the user deliberately abandons or lets the session timeout, and then proceeds to request another .asp file, ASP begins a new session using the same cookie. The only time a user receives a new SessionID cookie is when the server administrator restarts the server, thus clearing the SessionID settings stored in memory, or the user restarts the Web browser."
Microsoft states that sessionID's are not meant for tracking purposes...Therfore I agree with robbert that you must create and manage your own sessionID...FWIW
ASKER
This was a somewhat obvious answer where I needed a little push in the right direction... so thanx for that "push"... I'm already working on re-designing the process with a separate unique ID. thank you for all your inputs!
G.
G.
Session.SessionID is read-only.
Make sure that the user accepts cookies, otherwise a new SessionID will be assigned on every page.