Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

ASP.Net login page - clear session sometimes not other times

Posted on 2012-04-03
10
Medium Priority
?
985 Views
Last Modified: 2012-06-04
Hi

I've found that despite starting new IE browser windows the SessionID does not always change.  As a result, items in session remain even when closing a browser window and starting new window

To get over this, I decided to reset session data when visiting the login page.  When the user logs in everything in session is cleared and there is a "fresh start".

However, this is causing us a problem.  If user leaves his PC for lunch or whatever ASP.Net times out and user has to login again, and their inputs are lost....

Thanks in advance for help on this

I'd appreciate help on this, thanks
0
Comment
Question by:rwallacej
  • 4
  • 2
10 Comments
 
LVL 21

Expert Comment

by:Dale Burrell
ID: 37803915
Session state is stored in a non-persistent cookie by default and to the best of my knowledge cannot be changed to persistent. That means it is stored in browser memory and therefore should not exist after shutting the browser down and starting it again.

However, all browsers instances e.g. all IE instances share the same memory so if you leave even one copy of IE open it will remember your sessions. If you close them all and open a fresh one it should not. If it actually does then I think you've found a bug in IE.

Its also important to remember the difference between session and authentication - which are separate entities. They both store a cookie (by default) however they can both have different timeouts. There are different theories about how these timeouts should be set http://stackoverflow.com/questions/1470777/forms-authentication-timeout-vs-session-timeout.

Surely though you would always want to clear the session when a user logs in? If they go away for lunch and are forced to login again that means that the authentication cookie is expiring, not the session cookie and normally when a user logs in you'd want to clear the session as well. I guess you could force them to login but allow them to keep using their old session however I suspect that may be problematic.

Good reading http://msdn.microsoft.com/en-us/library/ms178194.aspx

Also it sounds like you are storing data in the session that would be better persisted to a database or similar. You don't want to store much in the session and if you are finding you need to there is probably a better solution.

Hope that helps.
0
 

Author Comment

by:rwallacej
ID: 37812518
Thanks for comments.

See mine below.
1)...all browsers instances e.g. all IE instances share the same memory so if you leave even one copy of IE open it will remember your sessions. If you close them all and open a fresh one it should not. If it actually does then I think you've found a bug in IE.

-I think this may be why I am seeing the same session ID

2) Surely though you would always want to clear the session when a user logs in
- not really in my case.  The user configures their inputs.

Part of this may involve raking for data and this can easily be longer than the logout period.

If they haven't saved their configuration they'd loose work with always clearing session when they login again
0
 
LVL 21

Accepted Solution

by:
Dale Burrell earned 2000 total points
ID: 37814206
Well you can always extend the logout(authentication) timeout.

I don't quite understand the difference between the2 scenarios, you want the person to be logged out when they go away for lunch, then come back, login and have their session data ready and waiting.

But in some situations (I don't understand when??) someone is opening a new browser window (which maybe isn't actually new) and getting an old session? Is it someone elses session? There own old session?

You could always store the ID of the logged in user in a session variable and if the new user logging in is different to the one stored then you can clear the session to ensure the new user gets a clean session?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:rwallacej
ID: 37814333
I don't want user to log out when they go for lunch (unless they click logout), .net logs them out
When user closes website, then opens new browser & goes to website then there is same session Id (this may be because they aren't closing all browser windows?)

I think your idea to store user logged in in session variable & clear session only if different user is what I'll do
0
 
LVL 21

Expert Comment

by:Dale Burrell
ID: 37814354
You can set your authentication timeout for much longer if you don't want them to be automatically logged out.
0
 
LVL 19

Expert Comment

by:Amandeep Singh Bhullar
ID: 38026043
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 21

Expert Comment

by:Dale Burrell
ID: 38026044
I believe I fully answered the question.
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
Real-time is more about the business, not the technology. In day-to-day life, to make real-time decisions like buying or investing, business needs the latest information(e.g. Gold Rate/Stock Rate). Unlike traditional days, you need not wait for a fe…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question