Link to home
Create AccountLog in
Avatar of Dnx_7
Dnx_7Flag for Belgium

asked on

Lost Session Variable

Hi experts,

i have some issue into my web application

i have a lot of session variable :

session("userid")
session("guid")
etc...

when i test my website, i log into my website many many times (without logout method, just close window => like many users do... (just simulate for debugging))
the problem is after 2 or 3 login, sometimes i lost the content of the session variable!

here is my webconfig :

<authentication mode="Forms">
      <forms name=".SESSION" loginUrl="Log.aspx" protection="All"/>
</authentication>

I also tried this :


<authentication mode="Forms">
      <forms name=".SESSION" loginUrl="Log.aspx" protection="All" timeout = "30"/>
</authentication>

i lost my session variable as always...

i don't where is the problem, i use IE 6

please help.

regards
SOLUTION
Avatar of bsdotnet
bsdotnet

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of Dnx_7

ASKER

where i have to put this?
in the session start?
or in the page load of "log.aspx"
Avatar of bsdotnet
bsdotnet

In page load of your first aspx page (think is log.aspx), just execute once will do.
Avatar of Dnx_7

ASKER

ok, i'll test.

regards
ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Avatar of Dnx_7

ASKER

can you explain me how can i see if the cookie has changed in fiddler?

regards
Sure. Assuming you have Fiddler running:
-your requests are shown on the left hand side.
-open and log in to your application
-click on the requests for the first page once you have logged in.
-On the right handd side of Fiddler, click on Session Inspector
-Underneath the Headers tab, there is a State tree node. Underneath this is a cookie for the session. It will say something like ASP.NET_SessionId=lskjjr55tq1z2fudcuqsnl55.
-Now log out, log in again, compare the cookies for the protected pages.

Then you can see if the session Id changes when you "lose" your session variables.

You may need to click on Tools, Fiddler Options and change the state of the "Reuse connections" checkbox if you are having any unexpected problems.

Andy
Avatar of Dnx_7

ASKER

sorry for the late

you are right AGBrown!!!

the cookie session doesn't change when i logged in and then logged out and then logged in again
how could it be?

because i use this in the loggingOut

        Session.RemoveAll()
        Session.Abandon()
        FormsAuthentication.SignOut()

what can i do to "renew" the cookie?

regards
Dnx_7,

At first this was confusing, so I went off and did some more reading, and found this:
http://msdn.microsoft.com/library/en-us/dnaspp/html/aspnetsessionstate.asp?frame=true

The key paragraph being:
"The session ID of stateless applications doesn't change with the next access if the session timed out or is abandoned. By design, even though the session state expires, the session ID lasts until the browser session is ended. This means that the same session ID is used to represent multiple sessions over time as long as the browser instance remains the same."

Now what is odd is that this is the behaviour that you observer, and yet it is _not_ the behaviour that I observe in my application. My logout button simply calls Session.Abandon() and then FormsAuthentication.SignOut(). The next login then has a new session associated with it.

The only possible difference that I can see might be between your code and mine is that I have code inside the Session_Start and Session_End event handlers in Global, but there is nothing that would affect the session.

It might be worth starting another question and see if anyone has any idea.

Andy
Scratch that, I checked again and in fact it _is_ the behaviour that I see. However, Session.Abandon() definitely clears my session variables consistently so that the next login is effectively starting from scratch.

So when I said "When the browser is exited, that cookie will disappear." this is correct. However, the postscript to this is that if you only log out, then you will have the same session id when you next log back in. Session.Abandon() will have abandoned the previous "session" (i.e., all the variables will be gone), this fits with what that reference says:

"The session ID of stateless applications doesn't change with the next access if the session timed out or is abandoned. By design, even though the session state expires, the session ID lasts until the browser session is ended. This means that the same session ID is used to represent multiple sessions over time as long as the browser instance remains the same."

And FormsAuthentication.SignOut() ensures that the cookie that the browser is using is no longer associated with an authenticated user.

Andy