• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 700
  • Last Modified:

Abandon the session on session id based

hey all

i need to abandon the session on the base on session id.

the situation is this

i am on the admin site and i know all person who connect with my application, the list of all sessions exists are shown on my page, now i want to kill the session of any one.

i am applying this check on each page load event
if  session.item("valid") is nothing then response.redirect ("errorpage.aspx")


suppose the following is session id list
asdf114125
asdfew2512
343225safs

this mean the 3 machines are conneected with my website.
now i want to kill any one by just click session and press save button and that session destory.



0
azhar_sultan
Asked:
azhar_sultan
  • 7
  • 4
  • 4
1 Solution
 
RejojohnyCommented:
session id are unique keys maintained on the server to identify a session .. i do not think another user can abandaon another users session .. also what is the point is deleteing a session .. as long as the user is still connected, his session would anyway be valid .. server would just create another sessionid for that user, the server will assume that the user has just logged in ...
0
 
mydasxCommented:
right, http is connectionless.  I.e. abandoning the session would force them to login again.  are you trying to boot them or ban them?

This is not directly supported by asp.net.  A good way to handle this problem would be to build a catch into your web page.  I typically use a parent page that implements methods that are used on each page of an application.  I then put things like authorization methods etc on the parent page so that they appear on all pages that inhert from the parent.  If you make part of your authorization a validation against bootlist (i.e. create an application variable (arrayList) of users to boot.)  this way when an admin logs in and sees users he wants to boot or ban, he can add them to the boot or ban list.  When the user hits any type of post back authorization happens, and the updated application variable that the admin just posted the booted users userID value to, fires a method that abandons the users session.  Thus booting the user.

Mydasx
0
 
mydasxCommented:
to ban, just create a table in the db. that keeps users that are not allowed to authenticate.  boot them and ban them at the same time.  so do what i said above, and also insert them into the banned user table.

Mydasx
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
azhar_sultanAuthor Commented:
mydask.
if i create a table in db then the request go to db server each time when page is load so this will reduce the efficiecy .

please sugges any other solution.
0
 
azhar_sultanAuthor Commented:

let me explain what i need, then suggest any solution

there is a page of login to access the other pages of my web application.
when user enter correct user name and password, i verfiy this login and password from database and if  user name and password is  valid then i add the userid in session  as
      Session.add("userid",textbox1.text).
and redirect the user to main page as
 response.redirect("main.aspx")
and from this page user can move to other pages according to his requirment.
on each page load event i write this line
if session.item("userid") is nothing then response.redirect("login.aspx")
as you know the above statement will check the session of the user and if he found nothing then he redirect to login page.

.....now what i want...........
supppose user successfully login from a pc, now he try to login from another pc, when he try to login from another pc i check that the user is not login from other pc, i check this from db i explain the table in last from where i check, my sql query told me that the user already login, i also want to give him option wheither he want to logout from other loction, and if user press yes then i want to kill his session, i know his session id

table structure

id    user id       login date                logout date                session id
1     1                12/12/2004                                            sadsdf747

when i found logout date null its mean user is already login, and when user click the logout button i update logout date field


i---------------------------
i think now i explain my problem in detail. please suggest any solution

0
 
mydasxCommented:
<< mydask.
if i create a table in db then the request go to db server each time when page is load so this will reduce the efficiecy .

this would only need to happen at authentication time.  not authorization time.

0
 
mydasxCommented:
are you doing an update to the Logged in table when the the session expires too?  (you will need to do this too.)

this is a functionality you may have found used in fat applications like yahoo messenger etc.  this is quite robust, but doable me thinks.

the same concept applies, you can create an application variable that will store all users logged into the application currently.  If a user tries to authenticate and is found in the application array of current users, you can keep the other user from posting back w/ out log in.  but as http is connectionless that other instance of the user being logged in will just sit there till time out.  If that user is using both systems, or 2 users are using the same login, then this implementation will work fine.  Just verify which instance of the user(sessionid) should be booted.

Mydasx
0
 
RejojohnyCommented:
>> i check this from db i explain the table in last from where i check, my sql query told me that the user already login, i also want to give him option wheither he want to logout from other loction, and if user press yes then i want to kill his session, i know his session id

to ban the users last login, what u have to do is just remove his entry from the table .. this will ensure that if he continues using the old session, ur validation will catch hold of it ... no need to delete sessionids as this is ensuring that the user closes his first session (close the browser)
0
 
RejojohnyCommented:
Sorry, what i menat was

this is NOT ensuring that the user closes his first session (i.e. closing the browser)
0
 
azhar_sultanAuthor Commented:
Rejojohny

i write the code at the session end event of acax file, which update the session id when ever session expirs, so there is no problem when user close the windows, his session update entry automaticaly fire when hs session expires


0
 
RejojohnyCommented:
but the session expires is not fired if he closes his window before the session timeout period or even if u try to empty the sessionid .. What i am trying to explain is that it is not indicating that the users's session is finished and the session onEnd will not fire and so the database will not get updated .. so what u should be looking at is COPY the code from the session_onend to where u want to empty the sessionid (to ban the user) .. this will ensure that the next time the user tries to refresh a page from a expired session, ur existing validation will take care whether to allow him or not ...
0
 
azhar_sultanAuthor Commented:
ohhhhhhhhhhhhhhhhhhhh.

i check this think as. on server my web application running in browser,. and some other clients are conected with it.
when they close there browsers the session on end event fire on the server when time expires and session will update in db, bu if on server the applicaton in not running then the sesion is not updated when user close the browser......

you suggest me any solution, how i overcome this problem
0
 
RejojohnyCommented:
what problem? that the session is not killed when the user closes the browser? u need not handle it explicity .. ie. even if the user closes the browser and the session does not get updated in the DB, the next time the user accesess the applicaion again, it will check in DB and find an entry and u r anyway giving user option to kill the old session and start a new one .. right? the problem was how will u kill the old session .. as i said removing the entry from DB will kill the old session .. no need to handle the session id or empty it ..

>>....now what i want...........
supppose user successfully login from a pc, now he try to login from another pc, when he try to login from another pc i check that the user is not login from other pc, i check this from db i explain the table in last from where i check, my sql query told me that the user already login, i also want to give him option wheither he want to logout from other loction, and if user press yes then i want to kill his session, i know his session id
Just remove his old record from the DB
0
 
RejojohnyCommented:
another point to note is that if u have session timeout set to 20 minutes and the user does not do any activity for mor than 20 minutes .. the session expires .. in the 21st minute the user clicks on some button in the page .. this will start a new session for the user BUT SESSIONID remains the same

have a look here on more details on how ti manage session
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspp/html/aspnetsessionstate.asp
0
 
RejojohnyCommented:
grade C?? any particular reason? so what was ur final solution?
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 7
  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now