ASP.Net login page - clear session sometimes not other times

Hi

I've found that despite starting new IE browser windows the SessionID does not always change.  As a result, items in session remain even when closing a browser window and starting new window

To get over this, I decided to reset session data when visiting the login page.  When the user logs in everything in session is cleared and there is a "fresh start".

However, this is causing us a problem.  If user leaves his PC for lunch or whatever ASP.Net times out and user has to login again, and their inputs are lost....

Thanks in advance for help on this

I'd appreciate help on this, thanks
rwallacejAsked:
Who is Participating?
 
Dale BurrellDirectorCommented:
Well you can always extend the logout(authentication) timeout.

I don't quite understand the difference between the2 scenarios, you want the person to be logged out when they go away for lunch, then come back, login and have their session data ready and waiting.

But in some situations (I don't understand when??) someone is opening a new browser window (which maybe isn't actually new) and getting an old session? Is it someone elses session? There own old session?

You could always store the ID of the logged in user in a session variable and if the new user logging in is different to the one stored then you can clear the session to ensure the new user gets a clean session?
0
 
Dale BurrellDirectorCommented:
Session state is stored in a non-persistent cookie by default and to the best of my knowledge cannot be changed to persistent. That means it is stored in browser memory and therefore should not exist after shutting the browser down and starting it again.

However, all browsers instances e.g. all IE instances share the same memory so if you leave even one copy of IE open it will remember your sessions. If you close them all and open a fresh one it should not. If it actually does then I think you've found a bug in IE.

Its also important to remember the difference between session and authentication - which are separate entities. They both store a cookie (by default) however they can both have different timeouts. There are different theories about how these timeouts should be set http://stackoverflow.com/questions/1470777/forms-authentication-timeout-vs-session-timeout.

Surely though you would always want to clear the session when a user logs in? If they go away for lunch and are forced to login again that means that the authentication cookie is expiring, not the session cookie and normally when a user logs in you'd want to clear the session as well. I guess you could force them to login but allow them to keep using their old session however I suspect that may be problematic.

Good reading http://msdn.microsoft.com/en-us/library/ms178194.aspx

Also it sounds like you are storing data in the session that would be better persisted to a database or similar. You don't want to store much in the session and if you are finding you need to there is probably a better solution.

Hope that helps.
0
 
rwallacejAuthor Commented:
Thanks for comments.

See mine below.
1)...all browsers instances e.g. all IE instances share the same memory so if you leave even one copy of IE open it will remember your sessions. If you close them all and open a fresh one it should not. If it actually does then I think you've found a bug in IE.

-I think this may be why I am seeing the same session ID

2) Surely though you would always want to clear the session when a user logs in
- not really in my case.  The user configures their inputs.

Part of this may involve raking for data and this can easily be longer than the logout period.

If they haven't saved their configuration they'd loose work with always clearing session when they login again
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
rwallacejAuthor Commented:
I don't want user to log out when they go for lunch (unless they click logout), .net logs them out
When user closes website, then opens new browser & goes to website then there is same session Id (this may be because they aren't closing all browser windows?)

I think your idea to store user logged in in session variable & clear session only if different user is what I'll do
0
 
Dale BurrellDirectorCommented:
You can set your authentication timeout for much longer if you don't want them to be automatically logged out.
0
 
Amandeep Singh BhullarCommented:
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
Dale BurrellDirectorCommented:
I believe I fully answered the question.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.