Solved

ASP.Net login page - clear session sometimes not other times

Posted on 2012-04-03
10
949 Views
Last Modified: 2012-06-04
Hi

I've found that despite starting new IE browser windows the SessionID does not always change.  As a result, items in session remain even when closing a browser window and starting new window

To get over this, I decided to reset session data when visiting the login page.  When the user logs in everything in session is cleared and there is a "fresh start".

However, this is causing us a problem.  If user leaves his PC for lunch or whatever ASP.Net times out and user has to login again, and their inputs are lost....

Thanks in advance for help on this

I'd appreciate help on this, thanks
0
Comment
Question by:rwallacej
  • 4
  • 2
10 Comments
 
LVL 21

Expert Comment

by:Dale Burrell
ID: 37803915
Session state is stored in a non-persistent cookie by default and to the best of my knowledge cannot be changed to persistent. That means it is stored in browser memory and therefore should not exist after shutting the browser down and starting it again.

However, all browsers instances e.g. all IE instances share the same memory so if you leave even one copy of IE open it will remember your sessions. If you close them all and open a fresh one it should not. If it actually does then I think you've found a bug in IE.

Its also important to remember the difference between session and authentication - which are separate entities. They both store a cookie (by default) however they can both have different timeouts. There are different theories about how these timeouts should be set http://stackoverflow.com/questions/1470777/forms-authentication-timeout-vs-session-timeout.

Surely though you would always want to clear the session when a user logs in? If they go away for lunch and are forced to login again that means that the authentication cookie is expiring, not the session cookie and normally when a user logs in you'd want to clear the session as well. I guess you could force them to login but allow them to keep using their old session however I suspect that may be problematic.

Good reading http://msdn.microsoft.com/en-us/library/ms178194.aspx

Also it sounds like you are storing data in the session that would be better persisted to a database or similar. You don't want to store much in the session and if you are finding you need to there is probably a better solution.

Hope that helps.
0
 

Author Comment

by:rwallacej
ID: 37812518
Thanks for comments.

See mine below.
1)...all browsers instances e.g. all IE instances share the same memory so if you leave even one copy of IE open it will remember your sessions. If you close them all and open a fresh one it should not. If it actually does then I think you've found a bug in IE.

-I think this may be why I am seeing the same session ID

2) Surely though you would always want to clear the session when a user logs in
- not really in my case.  The user configures their inputs.

Part of this may involve raking for data and this can easily be longer than the logout period.

If they haven't saved their configuration they'd loose work with always clearing session when they login again
0
 
LVL 21

Accepted Solution

by:
Dale Burrell earned 500 total points
ID: 37814206
Well you can always extend the logout(authentication) timeout.

I don't quite understand the difference between the2 scenarios, you want the person to be logged out when they go away for lunch, then come back, login and have their session data ready and waiting.

But in some situations (I don't understand when??) someone is opening a new browser window (which maybe isn't actually new) and getting an old session? Is it someone elses session? There own old session?

You could always store the ID of the logged in user in a session variable and if the new user logging in is different to the one stored then you can clear the session to ensure the new user gets a clean session?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:rwallacej
ID: 37814333
I don't want user to log out when they go for lunch (unless they click logout), .net logs them out
When user closes website, then opens new browser & goes to website then there is same session Id (this may be because they aren't closing all browser windows?)

I think your idea to store user logged in in session variable & clear session only if different user is what I'll do
0
 
LVL 21

Expert Comment

by:Dale Burrell
ID: 37814354
You can set your authentication timeout for much longer if you don't want them to be automatically logged out.
0
 
LVL 19

Expert Comment

by:Amandeep Singh Bhullar
ID: 38026043
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 21

Expert Comment

by:Dale Burrell
ID: 38026044
I believe I fully answered the question.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Today I had a very interesting conundrum that had to get solved quickly. Needless to say, it wasn't resolved quickly because when we needed it we were very rushed, but as soon as the conference call was over and I took a step back I saw the correct …
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now