In ASP.NET should we call Session.Abandon() when an unhandled exception occurs ? There are many end users that hit "refresh" or "back" in the web browser in order to resubmit the request. I would like to prevent this behavior by resetting the context. TIA.
views:
150answers:
2
+1
A:
No.
Resubmitting has nothing to do with ditching the user session. Should the user suffer from bad coding? Make sure you do all your database actions transactional, and handle all errors, and this problem will be gone.
Furthermore, there are way better ways to prevent doing double actions when hitting the back or submit button again. For example: our business rules prevent ordering the same product twice within ten minutes for the same object.
Jan Jongboom
2010-01-18 13:32:37
This is not about bad coding, this is about unhandled exception.Please see http://msdn.microsoft.com/en-us/library/ms229005.aspx."An application should not handle exceptions that can result in an unexpected or exploitable state. If you cannot predict all possible causes of an exception and ensure that malicious code cannot exploit the resulting application state, you should allow the application to terminate instead of handling the exception."
omatrot
2010-01-18 14:08:20
Unhandled exception == bad coding. Handle the error, log it using log4net or some other framework. But don't bother the user with 500 errors.
Jan Jongboom
2010-01-18 14:17:50
Thanks for the advice, however this is about tolerance against user carelessness rather than a discussion of coding practices. Not to mention that logging is already in place and bugs are always fixed after discovery.
omatrot
2010-01-18 15:41:20
You should never abandon the session. That's it. As a user I don't want to re-login if your application throws an exception.
Jan Jongboom
2010-01-18 16:04:10
Sometimes things are not as simple as that. There are bugs that exhibits in weird situations and the user is not necessarily logged-in or checking out a basket. So I think the short answer is "it depends".
omatrot
2010-01-19 07:10:45
No, that's bullshit. A user's session should not expire. Clear the relevant parts of the session but don't abandon the whole session.
Jan Jongboom
2010-01-19 07:50:35
A:
That depends on what you keep in the session. In most cases it won't be good to log user out just because there's an error in your code. Make a custom error page, and redirect there, so user can spam refresh on the error page as long as he wants.
Fedor Hajdu
2010-01-18 13:33:57
And yes, if the error occurs because of the input user has submitted, you might want to check your form validations, and make sure error don't happen at the first place.
Fedor Hajdu
2010-01-18 13:35:45
User would be logged out and redirected to a custom error page only if a serious problem occurs. That makes sense.
omatrot
2010-01-18 15:45:27