[Last Call] Learn how to a build a cloud-first strategyRegister Now


What are the pitfalls of using SessionID to keep track of guets and members logged in

Posted on 2011-10-07
Medium Priority
Last Modified: 2012-05-12

I have a problem here.  I thought perhaps using a database to keep track of guests and members would be the solution. My Goal is to give me the number of guests and number of members as well which members are on TWO sites.   What I have now is I have

on SessionBegin (When a user first visits a site)  

InsertRecord in DB /  SessionID(Session.SessionID) / UserID (null) / ClientID (null) / ActiveSession(True) / StarDatet/EndDate

on Login (when the user logs in)

Update Record UserID = UserID, ClientID = ClientID  Where SessionID = SessionID

Logout (user logs out and is now a guest)

Update Record UserID = Null, ClientID = Null Where SessionID = SessionID, Set EndTime

on SessionEnd (user has left or has timeout after 60 mins)

Update Record ActiveSession = 0 Where SessionID = SessionID, Set EndTime

ALSO We have a page that sits in between the  two sites (CBT and SG) called InterAppComm.

When a user leaves one site to go to the other via this page I call Session.Abandon (Which calls SessionEnd) and redirect to the other site.  

If the user is logged in I still call Session.Abandon and Log the User in on the other end expecting that the SessionID  inserts a new record of the Logged in User.  Keeping in mind every time they leave the site to go to the other Call Session.Abandon because we want to keep track of only one instance of them.  So only ActiveSession is kept for the user.

When I want to get all the members logged in I query give me users Where UserID is not Null and Active Session = 1
and to get all guests get me users where ActiveSession = 1 and UserID is Null

ActiveSession is set to 0 (meaning they left the party) when they are inactive by timing out the 60 minute period, when they leave CBT site to go to the SG or vice versa (or we have duplicates users)

When testing, we are able to login CBT,  switch to SG and see we are logged in , in the list of members logged in page,  when we logout we get sent back to CBT and are logged out, when we try Log back in, this is where the problem is because it doesn’t update the record or insert a new one based on the SessionID  

What I am trying to understand is if I am using the SessionID correctly and the whole concept of Sessions, Session.Abandon, etc.  

I feel my logic is sound, however the actions maybe out of step or how I am using them is wrong or even the order of steps is incorrect.  I feel that this would work on a single application but because we have two there is some break somewhere.

I stepped through my code to ensure there are no errors and no SQL exceptions.

Also I have

<sessionState mode="InProc" cookieless="false" timeout="60"  regenerateExpiredSessionId="true"/>  in the webconfig.

any help is greatly appreciated..

Question by:lino_evolution
  • 4

Author Comment

ID: 36933967
Also If I call Session.Abandon()  when is the New Session ID created?  Do I have to explcitly do this?
Or is on Session_Begin Called.  Cause this may help with my problem cause im calling Session.Abandon and redirecting the user to the other site.
LVL 83

Accepted Solution

CodeCruiser earned 2000 total points
ID: 36935965
Well according to Microsoft, Session.Abondon only destroys the objects stored in the session


Good read on SessionIDs


Check this


Author Comment

ID: 37006185
Still need a little more info here,

I removed the Session.Abandon when the user moves from sub domain to sub domain:

www.stopsmokingcenter.net  -> sg.stopsmokingcenter.net   (removed session abandon)

This seemed to to correct the issue and the users logged in were correctly being removed when the user logs out or when the user times out..  but ive returned to this cause someone noticed this issue..

there are instances when the user remains on the list .. my guess is when Session_END is called and goes to the database to remove the record of the user where the SessionID = @SessionID  it does not find it and leaves members displayed as logged in.

On Session_Start Set a variable;  Session("Start") = Now ; I've read this ensures that the sessionID is static.

I am doing this on both sub domains  www & SG;  what behavior does this cause?

Can the session-ID change when visiting both sub domains?

I was thinking of storing a simple userClass object in the Session that stores the ClientID and UserID  so when the Session_Ends. and the record does not match where the SessionID = @SessionID then I still have the UserID and CLientID (which is set when they login)  to match the record and remove it.

Any more information on this scenario is greatly appreciated.

Author Comment

ID: 37006217
I also have this in my web.config.

<sessionState mode="InProc" cookieless="false" timeout="60"  regenerateExpiredSessionId="true"/>

should regenerateExpiredSessionId = TRUE?

Author Comment

ID: 37006329
I thought in order to store my user Object and keep the session over the two sub domains would I need to do something like this

In the Global.asax file:

void Application_EndRequest(object sender, EventArgs e)
if (Response.Cookies["ASP.NET_SessionId"] != null)
Response.Cookies["ASP.NET_SessionId"].Domain = ".stopsmokingcenter.net";


Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction When many people think of the WebBrowser (http://msdn.microsoft.com/en-us/library/2te2y1x6%28v=VS.85%29.aspx) control, they immediately think of a control which allows the viewing and navigation of web pages. While this is true, it's a…
It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question