tags:

views:

1662

answers:

4
+2  Q: 

ASP.Net session life time issue

Hello everyone,

I am confused about ASP or ASP.Net session life time (or life cycle) concepts. More specifically, my confusions are,

  1. how did IIS magically knows a new session starts and an existing session ends? Especially how IIS treats whether a session continues or ends when we call redirect code;
  2. how many differnet ways to set session expire time (currnetly I only know set through web.config sessionState item)?
  3. Is it possible for one session to access other session's variables?

thanks in advance, George

+3  A: 

Session is generally handled by generating a unique identifier as a cookie on the clients machine. This is usually a session cookie, so you can't easily get to it. When you visit a site that uses sessions, it looks for this cookie. If it doesn't find it, it creates a new one, thus creating a new session.

One way to set the expire time is in the web.config, you can also set it in IIS by going to your website properties -> Home directory tab ->Configuration button -> Options Tab -> Session Timeout.

You will not be able to access someone elses session data.

AaronS  2009-06-04 15:06:26
Cool answer. Two more comments, 1. "This is usually a session cookie, so you can't easily get to it. When you visit a site that uses sessions, it looks for this cookie. If it doesn't find it, it creates a new one, thus creating a new session." -- is IIS or our application code underlying implements the logics? 2. "You will not be able to access someone elses session data." -- guaranteed by ASP.Net runtime?
George2  2009-06-04 15:29:06
This is fully built in to asp.net (or asp) and happens automatically if you have the session state element setup in your web.config: http://msdn.microsoft.com/en-us/library/h6bb9cz9(VS.80).aspxNot being able to access someone elses session data is guarenteed by the way sessions are handled. All data is tied directly the unique identier in the cookie. The only was someone could get to it is if they copy someone elses cookie to their own machine, or modified their cookie to use someone elses GUID, which they would not be able to guess. You shouldn't need to worry about either of these.
AaronS  2009-06-04 15:37:40
Thanks @AaronS, 1. I think you mean even if I do not use any session variables exploicitly in my code, if I enable session state in my web.config, then a unique session cookie will be created and transferred back and forth between continuous interaction between end user and web server? 2. Will the session cookie be shared between different browser sessions on the same client computer when accessing the same web site? 3. About the session expire time we set, does the expire time mean idle time or the whole life time of session (from begin to the end) even if user is active?
George2  2009-06-04 15:42:41
1. You are correct, even if you don't use them, the cookie will be present if set up in your web.config. 2.Your session variables will never be available to another browser session. If you have variables that you want to keep between sessions, you should put them into a physical cookie, with an expiration date http://msdn.microsoft.com/en-us/library/ms178194.aspx 3. The session times are based on the last time the server detected any activity. The session will stay active forever if the user keeps using it.
AaronS  2009-06-04 16:03:16
@AaronS, 1. any ways to extend session expire time; 2. any event listener we could implement to react to session expire event? 3. how do we know for current session when session will expire?
George2  2009-06-04 16:08:00
Your global.asax has both session_begin and session_end methods you can use. I'm not sure if there is a way to determine when a current session will expire. You may have to just take a datetime stamp of the time the page was sent to the client, and add 20 minutes to it, or higher if you increase it.
AaronS  2009-06-04 16:10:32
@AaronS, 1. I want to confirm with you you mean in session_end method, we could add 20 minutes, could you help to point me to the API please? 2. Since cookie could be shared between different browser sessions to the same web site, and session is implemented in cookie, why session variables can not be shared between different browser sessions? 3. how to set session expire in legacy ASP? still in web.config?
George2  2009-06-04 16:13:27
1 and 3) It's been a while since I've worked in classic ASP, but I would set your session timeout in IIS, as I mentioned in my original post. session_end is asp.net specific, I don't remember there being a classic asp equivalent. I could be wrong. 2) the reason is because there are two types of cookies, session cookies and physical cookies. Session cookies only exist in ram on the client machine, and not as physical cookies you can browse to. When the user closes their browser, all session cookies are automatically destroyed.
AaronS  2009-06-04 16:31:57
Thanks @AaronS, what happens when we retrieve session variable? Return String.Empty value?
George2  2009-06-04 16:36:44
I'm not 100% sure what you're asking. But you should make sure a session variable exists before you try to pull the value out of it.if(Session["KeyName"] != null){ myvariable = Session["KeyName"];}
AaronS  2009-06-04 18:02:21
@AaronS, sorry I mean if session is expired, what value we retrieves from a session variable? String.Empty?
George2  2009-06-05 03:11:17
It will return a null value.
AaronS  2009-06-05 13:05:48
Actually the reason why I need such tricky to check empty is, I need to implement such scenario -- when the session timeout, I will redirect user to the login page again. Any ideas how to implement this gracefully without checking string empty?
George2  2009-06-05 14:05:38
in asp.net you can do this: if (Session.IsNewSession) Response.Redirect("login.aspx");However, I believe in classic asp you do need to check to see if a session variable is null and then redirect them manually.
AaronS  2009-06-05 14:30:38
@AaronS, is there any way in classic ASP to set session never expire?
George2  2009-06-06 04:33:27
http://stackoverflow.com/questions/958965/how-to-set-session-never-expire-in-asp
AaronS  2009-06-08 13:19:05
+2  A: 

  1. Session starts because the request does not contain a session cookie or the session cookie it does contain no longer maps to a session. A session ends by a) it has sat idle with no further requests referencing it for the timeout period. b) Its deliberately aborted by code. c) In-process session dies when the process does, e.g. when the app is recycled.

  2. Different ways to change the timeout are basically modifing the web.config anyway or a config file from which the value is inherited.

  3. Not unless the session object is deliberately placed by code somewhere that another session can access it.

AnthonyWJones  2009-06-04 15:09:05
Cool! For 1, you said "1.Session starts because the request does not contain a session cookie or the session cookie it does contain no longer maps to a session" -- my confusion is who is responsible to implement the logics about session cookie, ASP.Net runtime? 2. For 3, I think you mean reference the same object instance from different sessions, so modify the reference in one session will impact the value retrived in another session?
George2  2009-06-04 15:32:22
ASP.NET runtime handles all the session creation and cookie creation for you. Fundementally you could (Don't actually do this!!) maintain a static Dictionary<string, IHttpSessionState> and stick a reference to each session object as it gets created. Using some string key of your own invention you could then have code running in one session access the session object of another. I can't think of a sensible reason for actually doing this, I'm fairly sure it won't end well.
AnthonyWJones  2009-06-04 21:44:23
If session is expired, what value we retrieves from a session variable? String.Empty?
George2  2009-06-05 03:11:31
It will be Null. I would use String.IsNullOrEmpty method to test its value.
AnthonyWJones  2009-06-05 13:04:14
Actually the reason why I need such tricky to check empty is, I need to implement such scenario -- when the session timeout, I will redirect user to the login page again. Any ideas how to implement this gracefully without checking string empty?
George2  2009-06-05 14:05:33
if (!String.IsNullOrEmpty(Session["AmILoggedIn") { //do stuff about not being logged in }
AnthonyWJones  2009-06-05 14:13:49
@AnthonyWJones, is there any way in classic ASP to set session never expire?
George2  2009-06-06 04:32:55
In ASP-Classic just set the ASP Session timeout to an unreasonably long time and ensure the App Pool timeout is just as unreasonable.
AnthonyWJones  2009-06-06 12:09:31
+1  A: 

You can set session timeout programatically with:

Session.Timeout = 60;
Daniel Serodio  2009-06-24 20:59:43
A: 

Don't forget the AppPool settings too...by default (IIS 6 anyway) it will recycle every 120 minutes. So it's possible that someone could lose their session in less than the set Session_Timeout value.

Webjedi  2009-06-24 21:05:10

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps