Solved

ASP.Net login page - clear session sometimes not other times

Posted on 2012-04-03
10
956 Views
Last Modified: 2012-06-04
Hi

I've found that despite starting new IE browser windows the SessionID does not always change.  As a result, items in session remain even when closing a browser window and starting new window

To get over this, I decided to reset session data when visiting the login page.  When the user logs in everything in session is cleared and there is a "fresh start".

However, this is causing us a problem.  If user leaves his PC for lunch or whatever ASP.Net times out and user has to login again, and their inputs are lost....

Thanks in advance for help on this

I'd appreciate help on this, thanks
0
Comment
Question by:rwallacej
  • 4
  • 2
10 Comments
 
LVL 21

Expert Comment

by:Dale Burrell
ID: 37803915
Session state is stored in a non-persistent cookie by default and to the best of my knowledge cannot be changed to persistent. That means it is stored in browser memory and therefore should not exist after shutting the browser down and starting it again.

However, all browsers instances e.g. all IE instances share the same memory so if you leave even one copy of IE open it will remember your sessions. If you close them all and open a fresh one it should not. If it actually does then I think you've found a bug in IE.

Its also important to remember the difference between session and authentication - which are separate entities. They both store a cookie (by default) however they can both have different timeouts. There are different theories about how these timeouts should be set http://stackoverflow.com/questions/1470777/forms-authentication-timeout-vs-session-timeout.

Surely though you would always want to clear the session when a user logs in? If they go away for lunch and are forced to login again that means that the authentication cookie is expiring, not the session cookie and normally when a user logs in you'd want to clear the session as well. I guess you could force them to login but allow them to keep using their old session however I suspect that may be problematic.

Good reading http://msdn.microsoft.com/en-us/library/ms178194.aspx

Also it sounds like you are storing data in the session that would be better persisted to a database or similar. You don't want to store much in the session and if you are finding you need to there is probably a better solution.

Hope that helps.
0
 

Author Comment

by:rwallacej
ID: 37812518
Thanks for comments.

See mine below.
1)...all browsers instances e.g. all IE instances share the same memory so if you leave even one copy of IE open it will remember your sessions. If you close them all and open a fresh one it should not. If it actually does then I think you've found a bug in IE.

-I think this may be why I am seeing the same session ID

2) Surely though you would always want to clear the session when a user logs in
- not really in my case.  The user configures their inputs.

Part of this may involve raking for data and this can easily be longer than the logout period.

If they haven't saved their configuration they'd loose work with always clearing session when they login again
0
 
LVL 21

Accepted Solution

by:
Dale Burrell earned 500 total points
ID: 37814206
Well you can always extend the logout(authentication) timeout.

I don't quite understand the difference between the2 scenarios, you want the person to be logged out when they go away for lunch, then come back, login and have their session data ready and waiting.

But in some situations (I don't understand when??) someone is opening a new browser window (which maybe isn't actually new) and getting an old session? Is it someone elses session? There own old session?

You could always store the ID of the logged in user in a session variable and if the new user logging in is different to the one stored then you can clear the session to ensure the new user gets a clean session?
0
Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

 

Author Comment

by:rwallacej
ID: 37814333
I don't want user to log out when they go for lunch (unless they click logout), .net logs them out
When user closes website, then opens new browser & goes to website then there is same session Id (this may be because they aren't closing all browser windows?)

I think your idea to store user logged in in session variable & clear session only if different user is what I'll do
0
 
LVL 21

Expert Comment

by:Dale Burrell
ID: 37814354
You can set your authentication timeout for much longer if you don't want them to be automatically logged out.
0
 
LVL 19

Expert Comment

by:Amandeep Singh Bhullar
ID: 38026043
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 21

Expert Comment

by:Dale Burrell
ID: 38026044
I believe I fully answered the question.
0

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For those of you who don't follow the news, or just happen to live under rocks, Microsoft Research released a beta SDK (http://www.microsoft.com/en-us/download/details.aspx?id=27876) for the Xbox 360 Kinect. If you don't know what a Kinect is (http:…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question