What are the pitfalls of using SessionID to keep track of guets and members logged in


I have a problem here.  I thought perhaps using a database to keep track of guests and members would be the solution. My Goal is to give me the number of guests and number of members as well which members are on TWO sites.   What I have now is I have

on SessionBegin (When a user first visits a site)  

InsertRecord in DB /  SessionID(Session.SessionID) / UserID (null) / ClientID (null) / ActiveSession(True) / StarDatet/EndDate

on Login (when the user logs in)

Update Record UserID = UserID, ClientID = ClientID  Where SessionID = SessionID

Logout (user logs out and is now a guest)

Update Record UserID = Null, ClientID = Null Where SessionID = SessionID, Set EndTime

on SessionEnd (user has left or has timeout after 60 mins)

Update Record ActiveSession = 0 Where SessionID = SessionID, Set EndTime

ALSO We have a page that sits in between the  two sites (CBT and SG) called InterAppComm.

When a user leaves one site to go to the other via this page I call Session.Abandon (Which calls SessionEnd) and redirect to the other site.  

If the user is logged in I still call Session.Abandon and Log the User in on the other end expecting that the SessionID  inserts a new record of the Logged in User.  Keeping in mind every time they leave the site to go to the other Call Session.Abandon because we want to keep track of only one instance of them.  So only ActiveSession is kept for the user.

When I want to get all the members logged in I query give me users Where UserID is not Null and Active Session = 1
and to get all guests get me users where ActiveSession = 1 and UserID is Null

ActiveSession is set to 0 (meaning they left the party) when they are inactive by timing out the 60 minute period, when they leave CBT site to go to the SG or vice versa (or we have duplicates users)

When testing, we are able to login CBT,  switch to SG and see we are logged in , in the list of members logged in page,  when we logout we get sent back to CBT and are logged out, when we try Log back in, this is where the problem is because it doesn’t update the record or insert a new one based on the SessionID  

What I am trying to understand is if I am using the SessionID correctly and the whole concept of Sessions, Session.Abandon, etc.  

I feel my logic is sound, however the actions maybe out of step or how I am using them is wrong or even the order of steps is incorrect.  I feel that this would work on a single application but because we have two there is some break somewhere.

I stepped through my code to ensure there are no errors and no SQL exceptions.

Also I have

<sessionState mode="InProc" cookieless="false" timeout="60"  regenerateExpiredSessionId="true"/>  in the webconfig.

any help is greatly appreciated..

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lino_evolutionAuthor Commented:
Also If I call Session.Abandon()  when is the New Session ID created?  Do I have to explcitly do this?
Or is on Session_Begin Called.  Cause this may help with my problem cause im calling Session.Abandon and redirecting the user to the other site.
Well according to Microsoft, Session.Abondon only destroys the objects stored in the session


Good read on SessionIDs


Check this


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lino_evolutionAuthor Commented:
Still need a little more info here,

I removed the Session.Abandon when the user moves from sub domain to sub domain:

www.stopsmokingcenter.net  -> sg.stopsmokingcenter.net   (removed session abandon)

This seemed to to correct the issue and the users logged in were correctly being removed when the user logs out or when the user times out..  but ive returned to this cause someone noticed this issue..

there are instances when the user remains on the list .. my guess is when Session_END is called and goes to the database to remove the record of the user where the SessionID = @SessionID  it does not find it and leaves members displayed as logged in.

On Session_Start Set a variable;  Session("Start") = Now ; I've read this ensures that the sessionID is static.

I am doing this on both sub domains  www & SG;  what behavior does this cause?

Can the session-ID change when visiting both sub domains?

I was thinking of storing a simple userClass object in the Session that stores the ClientID and UserID  so when the Session_Ends. and the record does not match where the SessionID = @SessionID then I still have the UserID and CLientID (which is set when they login)  to match the record and remove it.

Any more information on this scenario is greatly appreciated.
lino_evolutionAuthor Commented:
I also have this in my web.config.

<sessionState mode="InProc" cookieless="false" timeout="60"  regenerateExpiredSessionId="true"/>

should regenerateExpiredSessionId = TRUE?
lino_evolutionAuthor Commented:
I thought in order to store my user Object and keep the session over the two sub domains would I need to do something like this

In the Global.asax file:

void Application_EndRequest(object sender, EventArgs e)
if (Response.Cookies["ASP.NET_SessionId"] != null)
Response.Cookies["ASP.NET_SessionId"].Domain = ".stopsmokingcenter.net";

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Visual Basic.NET

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.