Avatar of lino_evolution
lino_evolutionFlag for Afghanistan

asked on 

What are the pitfalls of using SessionID to keep track of guets and members logged in


I have a problem here.  I thought perhaps using a database to keep track of guests and members would be the solution. My Goal is to give me the number of guests and number of members as well which members are on TWO sites.   What I have now is I have

on SessionBegin (When a user first visits a site)  

InsertRecord in DB /  SessionID(Session.SessionID) / UserID (null) / ClientID (null) / ActiveSession(True) / StarDatet/EndDate

on Login (when the user logs in)

Update Record UserID = UserID, ClientID = ClientID  Where SessionID = SessionID

Logout (user logs out and is now a guest)

Update Record UserID = Null, ClientID = Null Where SessionID = SessionID, Set EndTime

on SessionEnd (user has left or has timeout after 60 mins)

Update Record ActiveSession = 0 Where SessionID = SessionID, Set EndTime

ALSO We have a page that sits in between the  two sites (CBT and SG) called InterAppComm.

When a user leaves one site to go to the other via this page I call Session.Abandon (Which calls SessionEnd) and redirect to the other site.  

If the user is logged in I still call Session.Abandon and Log the User in on the other end expecting that the SessionID  inserts a new record of the Logged in User.  Keeping in mind every time they leave the site to go to the other Call Session.Abandon because we want to keep track of only one instance of them.  So only ActiveSession is kept for the user.

When I want to get all the members logged in I query give me users Where UserID is not Null and Active Session = 1
and to get all guests get me users where ActiveSession = 1 and UserID is Null

ActiveSession is set to 0 (meaning they left the party) when they are inactive by timing out the 60 minute period, when they leave CBT site to go to the SG or vice versa (or we have duplicates users)

When testing, we are able to login CBT,  switch to SG and see we are logged in , in the list of members logged in page,  when we logout we get sent back to CBT and are logged out, when we try Log back in, this is where the problem is because it doesn’t update the record or insert a new one based on the SessionID  

What I am trying to understand is if I am using the SessionID correctly and the whole concept of Sessions, Session.Abandon, etc.  

I feel my logic is sound, however the actions maybe out of step or how I am using them is wrong or even the order of steps is incorrect.  I feel that this would work on a single application but because we have two there is some break somewhere.

I stepped through my code to ensure there are no errors and no SQL exceptions.

Also I have

<sessionState mode="InProc" cookieless="false" timeout="60"  regenerateExpiredSessionId="true"/>  in the webconfig.

any help is greatly appreciated..

Visual Basic.NET

Avatar of undefined
Last Comment
Avatar of lino_evolution
Flag of Afghanistan image


Also If I call Session.Abandon()  when is the New Session ID created?  Do I have to explcitly do this?
Or is on Session_Begin Called.  Cause this may help with my problem cause im calling Session.Abandon and redirecting the user to the other site.
Avatar of Nasir Razzaq
Nasir Razzaq
Flag of United Kingdom of Great Britain and Northern Ireland image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of lino_evolution
Flag of Afghanistan image


Still need a little more info here,

I removed the Session.Abandon when the user moves from sub domain to sub domain:

www.stopsmokingcenter.net  -> sg.stopsmokingcenter.net   (removed session abandon)

This seemed to to correct the issue and the users logged in were correctly being removed when the user logs out or when the user times out..  but ive returned to this cause someone noticed this issue..

there are instances when the user remains on the list .. my guess is when Session_END is called and goes to the database to remove the record of the user where the SessionID = @SessionID  it does not find it and leaves members displayed as logged in.

On Session_Start Set a variable;  Session("Start") = Now ; I've read this ensures that the sessionID is static.

I am doing this on both sub domains  www & SG;  what behavior does this cause?

Can the session-ID change when visiting both sub domains?

I was thinking of storing a simple userClass object in the Session that stores the ClientID and UserID  so when the Session_Ends. and the record does not match where the SessionID = @SessionID then I still have the UserID and CLientID (which is set when they login)  to match the record and remove it.

Any more information on this scenario is greatly appreciated.
Avatar of lino_evolution
Flag of Afghanistan image


I also have this in my web.config.

<sessionState mode="InProc" cookieless="false" timeout="60"  regenerateExpiredSessionId="true"/>

should regenerateExpiredSessionId = TRUE?
Avatar of lino_evolution
Flag of Afghanistan image


I thought in order to store my user Object and keep the session over the two sub domains would I need to do something like this

In the Global.asax file:

void Application_EndRequest(object sender, EventArgs e)
if (Response.Cookies["ASP.NET_SessionId"] != null)
Response.Cookies["ASP.NET_SessionId"].Domain = ".stopsmokingcenter.net";

Visual Basic.NET
Visual Basic.NET

Visual Basic .NET (VB.NET) is an object-oriented programming language implemented on the .NET framework, but also supported on other platforms such as Mono and Silverlight. Microsoft launched VB.NET as the successor to the Visual Basic language. Though it is similar in syntax to Visual Basic pre-2002, it is not the same technology,

Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews


IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo