Solved

ASP.Net login page - clear session sometimes not other times

Posted on 2012-04-03
10
967 Views
Last Modified: 2012-06-04
Hi

I've found that despite starting new IE browser windows the SessionID does not always change.  As a result, items in session remain even when closing a browser window and starting new window

To get over this, I decided to reset session data when visiting the login page.  When the user logs in everything in session is cleared and there is a "fresh start".

However, this is causing us a problem.  If user leaves his PC for lunch or whatever ASP.Net times out and user has to login again, and their inputs are lost....

Thanks in advance for help on this

I'd appreciate help on this, thanks
0
Comment
Question by:rwallacej
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
10 Comments
 
LVL 21

Expert Comment

by:Dale Burrell
ID: 37803915
Session state is stored in a non-persistent cookie by default and to the best of my knowledge cannot be changed to persistent. That means it is stored in browser memory and therefore should not exist after shutting the browser down and starting it again.

However, all browsers instances e.g. all IE instances share the same memory so if you leave even one copy of IE open it will remember your sessions. If you close them all and open a fresh one it should not. If it actually does then I think you've found a bug in IE.

Its also important to remember the difference between session and authentication - which are separate entities. They both store a cookie (by default) however they can both have different timeouts. There are different theories about how these timeouts should be set http://stackoverflow.com/questions/1470777/forms-authentication-timeout-vs-session-timeout.

Surely though you would always want to clear the session when a user logs in? If they go away for lunch and are forced to login again that means that the authentication cookie is expiring, not the session cookie and normally when a user logs in you'd want to clear the session as well. I guess you could force them to login but allow them to keep using their old session however I suspect that may be problematic.

Good reading http://msdn.microsoft.com/en-us/library/ms178194.aspx

Also it sounds like you are storing data in the session that would be better persisted to a database or similar. You don't want to store much in the session and if you are finding you need to there is probably a better solution.

Hope that helps.
0
 

Author Comment

by:rwallacej
ID: 37812518
Thanks for comments.

See mine below.
1)...all browsers instances e.g. all IE instances share the same memory so if you leave even one copy of IE open it will remember your sessions. If you close them all and open a fresh one it should not. If it actually does then I think you've found a bug in IE.

-I think this may be why I am seeing the same session ID

2) Surely though you would always want to clear the session when a user logs in
- not really in my case.  The user configures their inputs.

Part of this may involve raking for data and this can easily be longer than the logout period.

If they haven't saved their configuration they'd loose work with always clearing session when they login again
0
 
LVL 21

Accepted Solution

by:
Dale Burrell earned 500 total points
ID: 37814206
Well you can always extend the logout(authentication) timeout.

I don't quite understand the difference between the2 scenarios, you want the person to be logged out when they go away for lunch, then come back, login and have their session data ready and waiting.

But in some situations (I don't understand when??) someone is opening a new browser window (which maybe isn't actually new) and getting an old session? Is it someone elses session? There own old session?

You could always store the ID of the logged in user in a session variable and if the new user logging in is different to the one stored then you can clear the session to ensure the new user gets a clean session?
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:rwallacej
ID: 37814333
I don't want user to log out when they go for lunch (unless they click logout), .net logs them out
When user closes website, then opens new browser & goes to website then there is same session Id (this may be because they aren't closing all browser windows?)

I think your idea to store user logged in in session variable & clear session only if different user is what I'll do
0
 
LVL 21

Expert Comment

by:Dale Burrell
ID: 37814354
You can set your authentication timeout for much longer if you don't want them to be automatically logged out.
0
 
LVL 19

Expert Comment

by:Amandeep Singh Bhullar
ID: 38026043
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 21

Expert Comment

by:Dale Burrell
ID: 38026044
I believe I fully answered the question.
0

Featured Post

Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Hi all,    While many today have fast Internet connection, there are many still who do not, or are connecting through devices with a slower connect, so light web pages and fast load times are still popular.    If your ASP.NET page …
Wouldn’t it be nice if you could test whether an element is contained in an array by using a Contains method just like the one available on List objects? Wouldn’t it be good if you could write code like this? (CODE) In .NET 3.5, this is possible…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question