ansaurus

Question

Http session issue

Answer 1

+2 A:

Your session has not ended simply because you left the site. A session remains active for it's timeout period since the last interaction with the site. That's why the session information still exists.

To answer your comment, you can end a session by calling Session.Abandon(). If you want to do it when someone leaves the site, I suggest you do an ajax call on the unload client event of the page that will in turn call Session.Abandon() or at least reset the credentials. However, that may be tricky as the unload will be called even if you leave the page for another page in the your own site, so you have to check for that as well. And yes, it is by design. The default session timeout is 20 minutes unless you specify otherwise.

SirDemon 2009-07-25 13:46:05

Thanks SirDemon, 1. do you mean it is by design, not my code bug at server side? 2. any solution to make user in step (3) input their user name and password?

George2 2009-07-25 13:47:24

Thanks SirDemon, do you have any related tricky code to share? I like and want to try your Ajax code. :-)

George2 2009-07-25 13:54:28

Do you mean unload client event will be triggered if I enter another URL (Google in my sample) and goes to the new URL?

George2 2009-07-25 13:55:38

I mean the unload event will triggered on ANY unloading of the page, whether leaving to an outside site like google, or another page in your OWN site. So the code needs to make sure it doesnt call session.Abandon() when the user stays within your site.

SirDemon 2009-07-25 13:59:30

Thanks SirDemon, 1. I have not used that event before, appreciate if you could recommend me some code sample to make a quick reference?

George2 2009-07-25 14:02:40

Answer 2

+2 A:

Session state will only be lost if the user deletes the session cookie that your server has given to him/her. Or the user does not make a request for a specific (Session.TimeOut property) period. Or if you abandon it in your code.

çağdaş 2009-07-25 13:48:29

Thanks çağdaş, 1. do you mean it is by design, not my code bug at server side? 2. I think session is implemented in cookie, it means even if I am accessing Google, IE still keeps my session cookie for http://mysite/sitemanager? It is very confusing since I change the domain (Google) but IE still keeps session information for previous domain (mysite) 3. any solution to make user in step (3) input their user name and password?

George2 2009-07-25 13:53:32

1. Yep, it's by design. Nothing wrong with your code. 2. It is indeed a cookie, but it will be deleted when the browser is closed. 3. I don't think you can do that. Also I don't think you should try to implement that. Imagine your user is browing your site while searching for something on Google and gets logged out of your site just because of that.

çağdaş 2009-07-25 14:08:13

Thanks çağdaş, my scenario is end user may use shared computer. I do not want the second user to use the 1st user's permission. :-)Any more advice for my issue? Appreciate if any solution could be privided.

George2 2009-07-25 14:12:08

Remember that you can set the Session.Timeout property (http://msdn.microsoft.com/en-us/library/ms525473.aspx) to have a session automatically expired after X minutes. As for shared computer scenario... Well, you can't really do anything about that except having a logout button for the users.

çağdaş 2009-07-25 14:15:41

Thanks çağdaş, but users could forget to click logout. :-)Have you read SirDemon's solution of using page unload event? Do you have any reference sample code?

George2 2009-07-25 14:20:29

I have read it. But I don't suggest you go that way. Don't reinvent the wheel. Have a look at the millions of web pages that use membership and see what they do.

çağdaş 2009-07-25 14:24:25

Thanks çağdaş, 1. why do you think it is re-invent the wheel? 2. what is your final suggestion for me, could you confirm because too many points here, a little confused.

George2 2009-07-25 15:47:00

Well, to sum up. Don't try to find a way to get your users logged out when they navigate to another site. That will only confuse and most likely annoy them. And as for what I meant by "don't reinvent the wheel" was that : Don't try to create a new login system (as in don't try to get your users logged out when they navigate away). Just adapt the widely accepted, proved to be working system (like stackoverflow.com. it doesn't log me out when I navigate away :) ). I hope that was clear :)

çağdaş 2009-07-25 17:51:53

Thanks çağdaş! Your advice is very valuable! I want to follow your advice and keep session alive, and also set a valuable timeout value. I met with an issue when I try to optimize bandwidth while keep session alive. This issue is posted here, appreciate if you could give me some advice. :-)http://stackoverflow.com/questions/1182615/http-meta-refresh-issue

George2 2009-07-25 18:40:35

You're welcome :) I'll try to take a look at your other Q when I get a chance

çağdaş 2009-07-25 19:57:17

Answer 3

+1 A:

This is the way web-sessions work everywhere. To avoid surprising users; you're probably best off just accepting this behavior.

But if you really want your users to log off when they stop using your site, here's how...

Rather than using the unload event (which is going be be problematic to implement because it's difficult to tell when someone is really leaving your site - and what happens if they have two windows to your site open?), I'd suggest shortening the session timeout to 1min, and using a client-side keepalive: essentially the browser pings the server every few seconds (say, 10) at a predetermined url, which does absolutely nothing beyond keep the session alive.

This can be implemented entirely without javascript if need be, via an iframe to a page with a meta-refresh tag. It'd be more robust and simpler in javascript, of course, but a hidden iframe isn't too complex, nor is a meta tag. If the server side refreshing page supports sending 304 Not-modified, you'll have a very low overhead solution too.

In your main file you'd always include something like:

<iframe src="keepalive.aspx" width="1" height="1" />
<!--and perhaps use css to hide the iframe - but test that!-->

And in keepalive.aspx you'd include:

<meta http-equiv="refresh" content="5" />

Finally, as a bandwidth optimization, in the code for keepalive.aspx, you could add a Last-Modified response header, and check whether the browser sent an If-Not-Modified-Since request header, and if it has, send a 304 Not-Modified instead of the full document.

Finally, if you're javascript dependant anyhow (many such log-in based web-apps are), you could instead simply use your favorite ajax framwork to periodically perform a request as well - without requiring the iframe.

Eamon Nerbonne 2009-07-25 14:24:22

Thanks Eamon, why there will be issues of implementing by using of unload event when "if they have two windows to your site open", could you let me know more details please?

George2 2009-07-25 15:48:37

Another interesting point is, will using ajax significantly reduce the bandwidth and workload on server side compared with using Last-Modified response header?

George2 2009-07-25 15:51:22

No, 304-Not-modified and AJAX are both "almost free" both in terms of CPU and bandwidth; they can both be implemented with low-weight custom IHttpHandlers. You could probably easily serve a million clients on one box if that's all it's doing - so don't worry about it; your bottlenecks will lie elsewhere (for example, in the session).

Eamon Nerbonne 2009-07-26 10:14:54

As for window.unload; it's problematic because it may not always fire, you'll need to know 100% certain if the unload is due to loading a page on your site or due to loading another page (a maintenance hassle), and if the unload is due to another site and the user has a second window open, then the unload will trigger the Session.Abandon - also disrupting the second window.A keepalive architecture is much simpler.

Eamon Nerbonne 2009-07-26 10:17:25

ansaurus

tags:

views:

answers:

Http session issue

related questions