?
Solved

Lost Session and Cookie Variables

Posted on 2003-02-24
31
Medium Priority
?
472 Views
Last Modified: 2012-08-13
When the user enters my app's virtual directory, the default.asp file is loaded.  The user id and password is validated against the database.  If user is valid, the db connection string is saved as a session variable.  The user is then directed to the main menu page.  There are seven forms in the app.  Each form consists of a frameset page, a control page, and a database page.  Each frameset page checks to see if the user is logged in by checking the value in the session variable that contains the db connection string.  The logon page is located at the virtual directory, and all form pages are in subdirectories.  

ISSUE:  The user browses the application, loading pages into the browser, then returning to the main menu, without processing any information.  After a certain series of forms are loaded, the session variables are mysteriously lost and the user is directed to log back into the app.  The user can browse five of the forms limitlessly, without error (A Group).  The user can browse the other two forms, limitlessly, without error (B Group).  But if the user browses at least two of the A group forms and one of the B Group forms, the session variables are lost.

As a debug, I have added cookies to see if the problem was directly related to the session variables.  While I was able to reset the session variables with the cookie variables on the first round of form loading, the second round of form loading resulted in the loss of session variables and cookie variables.

The timeout on the IIS server is set to 20 minutes and the form browsing resulting in my examples takes less than a minute.
0
Comment
Question by:dmsbmoore
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 5
  • 5
  • +5
31 Comments
 
LVL 10

Expert Comment

by:apollois
ID: 8011592
Hi dmsbmoore,

Search for "Session.Abandon" in all the relavent pages, and in any include files.


>>> If user is valid, the db connection string is saved as a session variable.<<<

Is the connection string different for each user?  If not, why not save as application variable at the start of application?

Best Regards,
apollois
0
 
LVL 2

Expert Comment

by:rbagdonas
ID: 8011605
1.  Unless your DBConnection string changes for each user, try putting the connection string in an Application variable in the global.asa file:

Application("ConnString") = "blah"

2.  You probably can get rid of your session variables.  They eat a lot of memory when the app scales.  Try this:

- Right click and select properties of your website in IIS.
- Click on the Home Directory Tab, then Configuration button.
- Go to the second tab and unselect the Enable session option.

This way you know that sessions are disabled.

3.  Use the cookies with no expiration information for your application.

To write a cookie:

Response.Cookies("CookieName")("VariableName") = "blah"

To read a cookie:
strBlah = Request.Cookies("CookieName")("VariableName")


These cookies will be available until the user closes their browser.  Just make sure you manage them well and they should give you no trouble.

R
0
 
LVL 18

Expert Comment

by:mgfranz
ID: 8011742
No, do not put connection strings in the .asa file!  If you need to use a file, put them in a .asp file and just include it on the pages that need it.  Storing stuff in the .asa is bad practice.  Besides, if I get into your system, the first thing I'm going to look at is the .asa file for dB connections.

As for the Session issue, can you tell me if the users are using IE6?  IE6 has some issues with sessions... no link to a patch available immmediatly.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 2

Expert Comment

by:rbagdonas
ID: 8011797
We can argue this all day.  My preferred method is to have the connection string stored encrypted in the registry and brought into the application at runtime.

But most users that are starting at this level typically do not have the acumen to move their DB access stuff into a COM+ object and work with the system classes to access the registry.

The most important thing for him is to get his application working.  Then once he understands architecture, he can move away from his original design.

But I digress....

R
0
 
LVL 18

Expert Comment

by:mgfranz
ID: 8011858
True... there is always a better or another way to do it.

Somewhere I had a link to the IE6 session issue from MSDN
0
 

Author Comment

by:dmsbmoore
ID: 8011895
No Session.Abandon staments are present in any file on the d:\ drive of the server, where the application resides.  This app uses two databases.  Database A requires individual connectivity, and Database B uses an application ID.  The user can bounce between DB's at any time.  
0
 

Author Comment

by:dmsbmoore
ID: 8011943
No Session.Abandon staments are present in any file on the d:\ drive of the server, where the application resides.  This app uses two databases.  Database A requires individual connectivity, and Database B uses an application ID.  The user can bounce between DB's at any time.  
0
 

Author Comment

by:dmsbmoore
ID: 8011981
rbagdonas:  Per my prvious comment (sorry about the double-post) (1) is out.  I have a timeout requirement of 20 minutes inactivity.  So I believe (2) and (3) are out.  I amy be wrong.

mgfranz:  Our users are on IE 5.50..
0
 
LVL 28

Expert Comment

by:sybe
ID: 8014721
Session variables are bound to an application. And an application is defined by a virtual directory.
If your login page is on a different virtual directory then the rest of the application, then they each have their own session variables.
0
 
LVL 15

Expert Comment

by:Ralf Klatt
ID: 8014848
Hi dmsbmoore,

I had the same problem as you described and I was able to solve it with a "session-object" I've created. There's a session class that is started at the session_start point ... all relevant data is stored in that class and regularly updated against the database ... when the user changes the application (ex.: changes from main app to service app) the session data is picked up by the other application and updates to the "main session" are continued. At the end, when the user logs out or abandons, I have an overview of all actions and transactions with even a “spent time on (this or that)” report …

… of course I’m talking about complex applications and they are grown over the time. Unfortunately I’m not able to provide a source code example without presenting all of the code but … think about a database connected “session class” rather than expecting IIS to do the session management for you!

If my statement is of interest for you I’ll be able to provide more information!

Best regards, Raisor
0
 

Author Comment

by:dmsbmoore
ID: 8016338
sybe:  The logon page and verification page are at the root of the virtual directory.  

raisor:  I will research session object approach.  This sounds most promissing.

lavinder:  1st link I already tried.  I ordered book on second link.
0
 
LVL 18

Expert Comment

by:mgfranz
ID: 8017502
Sybe, I can't agree with your comment about virtual directories loosing session values.  While it would be true to a point if the virtual dirs were farmed or pooled in a clustered environment, I don't think this is the issue.

Here is a silly question, are the session variables being lost due to their value being set to "" or clear?
0
 

Author Comment

by:dmsbmoore
ID: 8017923
mgfranz, no question is silly.  The variable in question is set at logon and never reset or cleared.  The strange thing is that all variables, session and cookie, are lost, eventually.
0
 
LVL 18

Expert Comment

by:mgfranz
ID: 8017968
At timeout all session or unsaved cookies will be lost, true.  But you say this happens at 1 minute...

Strange...  Any chance on a virus being the culpret?
0
 
LVL 10

Expert Comment

by:apollois
ID: 8018846
dmsbmoore,

As a debug tool, I suggest that you create 3 or 4 new pages from scratch (no copy and paste) that will simulate your actual pages.  Keep these as simple as possible.  Put lots of debug output (like the session variables) in every page.  

Run a test using these new pages.  Keep a careful log with a stopwatch to record your steps.

Best Regards,
apollois
0
 
LVL 15

Expert Comment

by:Ralf Klatt
ID: 8018864
Hi mgfranz,

I don't think that dmsbmoore has a virus ... unless I have the same virus ;) ... instead, there are lot's of bugs in and around IIS ... the bug that gave me the strongest headache was the one with IIS not firing the session_end nor the session_onend event ...

... that was the initiating moment to create my own session object class ...

Best regards, Raisor


Hi dmsbmoore,

... I've spent some time on searching for a good article that helped me a lot developing my session class ... and finally I found it ... here it is:

http://www.15seconds.com/issue/021119.htm

... I hope that can help!

Best regards, Raisor
0
 
LVL 18

Expert Comment

by:mgfranz
ID: 8020298
Which is why I have never used a global.asa to fire any Session requirement.  It's just too flakey.  If I need to use Session variables I keep them short and sweet, simple to manage and easy to track.  I would never use a session variable to store a connection or recordset string.

While anything is possible, a virus was just a shot in the dark.
0
 
LVL 10

Expert Comment

by:apollois
ID: 8046797
Hi dmsbmoore,

Has your question been answered?

If so, please select the comment as an answer that was most helpful to you.  In case of duplicate or very similar comments you can select the one posted first.

If not, post what additional help you need to answer your original question.

DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
0
 

Author Comment

by:dmsbmoore
ID: 8050729
OK.  I was going to give points to rbagdonas who told me to dish the session variables and use application and cookie variables, which is what I ended up doing.  But he states "These cookies will be available until the user closes their browser."  This is simply not true.  While my user's browser session remains active, the server loses session and begins a new.  My final solution, which I am sure there are others that are better, is as follows:

I used a combination of cookies and application variables.  After each user successfully logs on to the application, I reset (or for first time users, set) their own application variable.  This works for this application because the number of users should be 5 - 10 to start out.  I build the application cookies on the fly by using the logon userid and password, and retrieve the application cookies on the fly by using the userid cookie.  The application variables are used to connect to the database that requires individual logon.  Another application variable is used to connect to the database that requires an application id.  

I keep track of each user by setting two cookies.  One is a timestamp cookie and the other is a userid cookie.  Everytime a user enters a page, I check to see if the timestamp cookie is less than 20 minutes old.  If so, I RESET the timestamp cookie to now() AND reset the userid cookie to itself.  I have to reset BOTH cookies because when I lose the session on the server (which is the true issue here), I lose the cookies. I still do not understand how I can reset the cookies after the session changes, since the session id on the server, used to retrieve the cookies from the browser, changes after the session ends and another begins.  But somehow, by resetting the cookies at the beginning of every page, this works.

Does anyone see any potential problems with this solution?  This is my solution and I have not found precedent.
0
 
LVL 2

Accepted Solution

by:
rbagdonas earned 1200 total points
ID: 8050745
Application variables are not user specific.  Meaning if set Application("UserID") that is the userid for everyone.

If your cookies are expiring, you have an issue.  I use the session cookie (note: not Session("VariableName"), I use Response.Cookie("CookieName")("VariableName")) in several applications that need to be open for several hours.  I have never had a cookie expire that I didn't sepcifically set the expiration on.

R
0
 

Author Comment

by:dmsbmoore
ID: 8050760
One final comment to rbagdonas :  don't assume that all developers learning a new language "do not have the acumen" to jump into complex techniques to resolve issues with their code.  In my case, as you seem to have understood, time was of the essence.  Sorry to make you digress.
0
 

Author Comment

by:dmsbmoore
ID: 8050769
Sorry, I miss stated:  I build the application variables on the fly by using the logon userid and password, and retrieve the application variables on the fly by using the userid cookie.  This makes them user specific.
0
 

Author Comment

by:dmsbmoore
ID: 8050777
Sorry, I miss stated:  I build the application variables on the fly by using the logon userid and password, and retrieve the application variables on the fly by using the userid cookie.  This makes them user specific.
0
 
LVL 2

Expert Comment

by:rbagdonas
ID: 8050778
Jumping from a simple ASP problem to a n-tier architecture utilizing kernel32 calls in a COM+ object is a whole new bag.  Typically people getting used to one technology will kill themselves when they try to learn ASP, VB, Javascript, SQL all at the same time.  You have to start with small steps.  Otherwise you assume that you know what is going on but when you add more variables to an equation, it gets exponentially more difficult to solve (and debug).  I stand by my previous comment.  Good luck with your issue.

R
0
 
LVL 2

Expert Comment

by:rbagdonas
ID: 8050793
This yet proves the point about learning new stuff.  You are trying to make a sandwich but are using two cans of soup.  Application variables should not be used to store anything user specific.  Storing connection strings and other things that are user-independent makes perfect sense.  but putting anything that you constantly change in an application variable has overhead costs associated with it and will be difficult to scale.  Please go to msdn.microsoft.com and learn all you can about:

Application variables
Session Variables
Cookies

You have taken the things that people have recommended and blended them into some sort of hack that is misusing what the variables are intended for.  Your application, as wll as downstream developers, will suffer.

R
0
 
LVL 15

Expert Comment

by:Ralf Klatt
ID: 8051031
Hi rbagdonas,

I couldn't stop grinning while reading your commentaries … but, you’re sooooo right with what you’re saying!

These are the lightning days, when you feel that there are people somewhere in the world that have been at the same point as you once have been. Me, starting with simple Basic in the “old days” and still not having reached “the point of no return” yet, I love these “small” problems which keep one busy for days … to find a solution or a workaround.

Best regards, Raisor
0
 
LVL 15

Expert Comment

by:Ralf Klatt
ID: 8051032
Hi dmsbmoore,

I really do not get your point! I’ve given you a hint for to solve your problem and on 02/25/2003 05:20AM PST you’ve said “raisor:  I will research session object approach.  This sounds most promising.” … yet I didn’t here anything from you!

A very simple but good example for “session objects” can be found at http://www.15seconds.com/issue/021119.htm

Why didn’t you try it?

Best regards, Raisor
0
 
LVL 10

Expert Comment

by:apollois
ID: 8126243
Hi dmsbmoore,

It's been 12  days since the last post to your question.  Has your question been answered?

If so, please select the comment as an answer that was most helpful to you.  In case of duplicate or very similar comments you can select the one posted first.

If not, post what additional help you need to answer your original question.

DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Best Regards,
>apollois<
0
 
LVL 10

Expert Comment

by:apollois
ID: 8208638
========================================
ABANDONED QUESTION FINAL NOTICE
========================================

It appears that this question has been abandoned:
     -- Days since the question was opened:          29
     -- Last post of the question asker:          03/01/2003

I will make a final recommendation to the EE Moderators on its resolution in one week. I appreciate any comments that would help me to make a recommendation.  If you disagree with my initial recommendation, I urge you to post a comment.

In the absence of responses, I will make the below recommentation.

RECOMMENDATION:
           [ACCEPT rbagdonas COMMENT 03/01/2003 09:31PM PST AS ANSWER]

Silence = You agree with recommendation or don't care.

DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

>apollois<
EE Cleanup Volunteer
~~~~~~~~~~~~~~~~~~~~~~~~
dmsbmoore, if you feel that your question was not properly addressed, or that none of the comments received were appropriate answers, you may post a request in Community support (with a link to this page) to refund your points. http://www.experts-exchange.com/Community_Support/
0
 

Expert Comment

by:SpideyMod
ID: 8358890
per recommendation

SpideyMod
Community Support Moderator @Experts Exchange
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently decide that I needed a way to make my pages scream on the net.   While searching around how I can accomplish this I stumbled across a great article that stated "minimize the server requests." I got to thinking, hey, I use more than one…
I was asked about the differences between classic ASP and ASP.NET, so let me put them down here, for reference: Let's make the introductions... Classic ASP was launched by Microsoft in 1998 and dynamically generate web pages upon user interact…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question