Lost Session Variable

Hi experts,

i have some issue into my web application

i have a lot of session variable :

session("userid")
session("guid")
etc...

when i test my website, i log into my website many many times (without logout method, just close window => like many users do... (just simulate for debugging))
the problem is after 2 or 3 login, sometimes i lost the content of the session variable!

here is my webconfig :

<authentication mode="Forms">
      <forms name=".SESSION" loginUrl="Log.aspx" protection="All"/>
</authentication>

I also tried this :


<authentication mode="Forms">
      <forms name=".SESSION" loginUrl="Log.aspx" protection="All" timeout = "30"/>
</authentication>

i lost my session variable as always...

i don't where is the problem, i use IE 6

please help.

regards
LVL 2
Dnx_7Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bsdotnetCommented:
Login timeout is different from session variable timeout (by default is 20min), you can set session variable timeout (e.g. to one hour) by
 Session.Timeout = 60
0
Dnx_7Author Commented:
where i have to put this?
in the session start?
or in the page load of "log.aspx"
0
bsdotnetCommented:
In page load of your first aspx page (think is log.aspx), just execute once will do.
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Dnx_7Author Commented:
ok, i'll test.

regards
0
AGBrownCommented:
Dnx_7,

I'm a little confused by your scenario. As far as I can work out, you shouldn't ever be able to recover the session variables once you have closed your browser. If you close your browser, and then open a new browser window, you will create a new session altogether - so you shouldn't be able to access the session variable. Session's are defined using a cookie that is sent to the user's browser. When the browser is exited, that cookie will disappear.

In this case, the only way to keep information between sessions would be to permanently persist it to a database, or to store it in the ApplicationState - but the latter is accessible by all users, so you need to be very careful.

Have you tried using something like Fiddler (available for free on the web) to check your cookies? I would expect that when you "lose" your session variable it's because the session cookie has changed.

Andy
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dnx_7Author Commented:
can you explain me how can i see if the cookie has changed in fiddler?

regards
0
AGBrownCommented:
Sure. Assuming you have Fiddler running:
-your requests are shown on the left hand side.
-open and log in to your application
-click on the requests for the first page once you have logged in.
-On the right handd side of Fiddler, click on Session Inspector
-Underneath the Headers tab, there is a State tree node. Underneath this is a cookie for the session. It will say something like ASP.NET_SessionId=lskjjr55tq1z2fudcuqsnl55.
-Now log out, log in again, compare the cookies for the protected pages.

Then you can see if the session Id changes when you "lose" your session variables.

You may need to click on Tools, Fiddler Options and change the state of the "Reuse connections" checkbox if you are having any unexpected problems.

Andy
0
AGBrownCommented:
0
Dnx_7Author Commented:
sorry for the late

you are right AGBrown!!!

the cookie session doesn't change when i logged in and then logged out and then logged in again
how could it be?

because i use this in the loggingOut

        Session.RemoveAll()
        Session.Abandon()
        FormsAuthentication.SignOut()

what can i do to "renew" the cookie?

regards
0
AGBrownCommented:
Dnx_7,

At first this was confusing, so I went off and did some more reading, and found this:
http://msdn.microsoft.com/library/en-us/dnaspp/html/aspnetsessionstate.asp?frame=true

The key paragraph being:
"The session ID of stateless applications doesn't change with the next access if the session timed out or is abandoned. By design, even though the session state expires, the session ID lasts until the browser session is ended. This means that the same session ID is used to represent multiple sessions over time as long as the browser instance remains the same."

Now what is odd is that this is the behaviour that you observer, and yet it is _not_ the behaviour that I observe in my application. My logout button simply calls Session.Abandon() and then FormsAuthentication.SignOut(). The next login then has a new session associated with it.

The only possible difference that I can see might be between your code and mine is that I have code inside the Session_Start and Session_End event handlers in Global, but there is nothing that would affect the session.

It might be worth starting another question and see if anyone has any idea.

Andy
0
AGBrownCommented:
Scratch that, I checked again and in fact it _is_ the behaviour that I see. However, Session.Abandon() definitely clears my session variables consistently so that the next login is effectively starting from scratch.

So when I said "When the browser is exited, that cookie will disappear." this is correct. However, the postscript to this is that if you only log out, then you will have the same session id when you next log back in. Session.Abandon() will have abandoned the previous "session" (i.e., all the variables will be gone), this fits with what that reference says:

"The session ID of stateless applications doesn't change with the next access if the session timed out or is abandoned. By design, even though the session state expires, the session ID lasts until the browser session is ended. This means that the same session ID is used to represent multiple sessions over time as long as the browser instance remains the same."

And FormsAuthentication.SignOut() ensures that the cookie that the browser is using is no longer associated with an authenticated user.

Andy
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP.NET

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.