What are the pitfalls of using SessionID to keep track of guets and members logged in

Posted on 2011-10-07
Last Modified: 2012-05-12

I have a problem here.  I thought perhaps using a database to keep track of guests and members would be the solution. My Goal is to give me the number of guests and number of members as well which members are on TWO sites.   What I have now is I have

on SessionBegin (When a user first visits a site)  

InsertRecord in DB /  SessionID(Session.SessionID) / UserID (null) / ClientID (null) / ActiveSession(True) / StarDatet/EndDate

on Login (when the user logs in)

Update Record UserID = UserID, ClientID = ClientID  Where SessionID = SessionID

Logout (user logs out and is now a guest)

Update Record UserID = Null, ClientID = Null Where SessionID = SessionID, Set EndTime

on SessionEnd (user has left or has timeout after 60 mins)

Update Record ActiveSession = 0 Where SessionID = SessionID, Set EndTime

ALSO We have a page that sits in between the  two sites (CBT and SG) called InterAppComm.

When a user leaves one site to go to the other via this page I call Session.Abandon (Which calls SessionEnd) and redirect to the other site.  

If the user is logged in I still call Session.Abandon and Log the User in on the other end expecting that the SessionID  inserts a new record of the Logged in User.  Keeping in mind every time they leave the site to go to the other Call Session.Abandon because we want to keep track of only one instance of them.  So only ActiveSession is kept for the user.

When I want to get all the members logged in I query give me users Where UserID is not Null and Active Session = 1
and to get all guests get me users where ActiveSession = 1 and UserID is Null

ActiveSession is set to 0 (meaning they left the party) when they are inactive by timing out the 60 minute period, when they leave CBT site to go to the SG or vice versa (or we have duplicates users)

When testing, we are able to login CBT,  switch to SG and see we are logged in , in the list of members logged in page,  when we logout we get sent back to CBT and are logged out, when we try Log back in, this is where the problem is because it doesn’t update the record or insert a new one based on the SessionID  

What I am trying to understand is if I am using the SessionID correctly and the whole concept of Sessions, Session.Abandon, etc.  

I feel my logic is sound, however the actions maybe out of step or how I am using them is wrong or even the order of steps is incorrect.  I feel that this would work on a single application but because we have two there is some break somewhere.

I stepped through my code to ensure there are no errors and no SQL exceptions.

Also I have

<sessionState mode="InProc" cookieless="false" timeout="60"  regenerateExpiredSessionId="true"/>  in the webconfig.

any help is greatly appreciated..

Question by:lino_evolution

    Author Comment

    Also If I call Session.Abandon()  when is the New Session ID created?  Do I have to explcitly do this?
    Or is on Session_Begin Called.  Cause this may help with my problem cause im calling Session.Abandon and redirecting the user to the other site.
    LVL 83

    Accepted Solution

    Well according to Microsoft, Session.Abondon only destroys the objects stored in the session

    Good read on SessionIDs

    Check this

    Author Comment

    Still need a little more info here,

    I removed the Session.Abandon when the user moves from sub domain to sub domain:  ->   (removed session abandon)

    This seemed to to correct the issue and the users logged in were correctly being removed when the user logs out or when the user times out..  but ive returned to this cause someone noticed this issue..

    there are instances when the user remains on the list .. my guess is when Session_END is called and goes to the database to remove the record of the user where the SessionID = @SessionID  it does not find it and leaves members displayed as logged in.

    On Session_Start Set a variable;  Session("Start") = Now ; I've read this ensures that the sessionID is static.

    I am doing this on both sub domains  www & SG;  what behavior does this cause?

    Can the session-ID change when visiting both sub domains?

    I was thinking of storing a simple userClass object in the Session that stores the ClientID and UserID  so when the Session_Ends. and the record does not match where the SessionID = @SessionID then I still have the UserID and CLientID (which is set when they login)  to match the record and remove it.

    Any more information on this scenario is greatly appreciated.

    Author Comment

    I also have this in my web.config.

    <sessionState mode="InProc" cookieless="false" timeout="60"  regenerateExpiredSessionId="true"/>

    should regenerateExpiredSessionId = TRUE?

    Author Comment

    I thought in order to store my user Object and keep the session over the two sub domains would I need to do something like this

    In the Global.asax file:

    void Application_EndRequest(object sender, EventArgs e)
    if (Response.Cookies["ASP.NET_SessionId"] != null)
    Response.Cookies["ASP.NET_SessionId"].Domain = "";


    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    If you're writing a .NET application to connect to an Access .mdb database and use pre-existing queries that require parameters, you've come to the right place! Let's say the pre-existing query(qryCust) in Access takes a Date as a parameter and l…
    Microsoft Reports are based on a report definition, which is an XML file that describes data and layout for the report, with a different extension. You can create a client-side report definition language (*.rdlc) file with Visual Studio, and build g…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now