By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,640 Members | 1,581 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,640 IT Pros & Developers. It's quick & easy.

ending sessions when browser is closed

P: n/a
We have an environment running ASP on IIS5, where a user
logs in via an ASP login page and an entry is made to the
database recording the users login time and a database
session. If the user then clicks the logout link, the
database is update with their logout time and unlocks
their account by removing the database session.

The problem lies when the user closes the browser ("X").

When this happens, the IIS session is terminated, which is
okay, but the database does not get updated and their
database session is not removed. We have another process
which will then come along and remove inactive database
sessions after 10 minutes of inactivity. So, during this
period of time, the user would not be aloud to log back
in. I am trying to find a way to capture this scenario so
that I can make a call down to the database to force their
account to logout, hence removing the database session.

Any ideas whatsoever would be greatly appreciated.
Jul 19 '05 #1
Share this Question
Share on Google+
5 Replies


P: n/a
From what I have seen in this group there is no reliable way to capture the
end of session when the user closes the browser.

you could modify your login function so that if it detects an active session
for the user attempting to log in:
tell the user that they have a session active
ask if they want to terminate that session and login again

--
Mark Schupp
Head of Development
Integrity eLearning
www.ielearning.com
"Jennifer Smith" <an*******@discussions.microsoft.com> wrote in message
news:01****************************@phx.gbl...
We have an environment running ASP on IIS5, where a user
logs in via an ASP login page and an entry is made to the
database recording the users login time and a database
session. If the user then clicks the logout link, the
database is update with their logout time and unlocks
their account by removing the database session.

The problem lies when the user closes the browser ("X").

When this happens, the IIS session is terminated, which is
okay, but the database does not get updated and their
database session is not removed. We have another process
which will then come along and remove inactive database
sessions after 10 minutes of inactivity. So, during this
period of time, the user would not be aloud to log back
in. I am trying to find a way to capture this scenario so
that I can make a call down to the database to force their
account to logout, hence removing the database session.

Any ideas whatsoever would be greatly appreciated.

Jul 19 '05 #2

P: n/a
"Jennifer Smith" <an*******@discussions.microsoft.com> wrote in message
news:01****************************@phx.gbl...
We have an environment running ASP on IIS5, where a user
logs in via an ASP login page and an entry is made to the
database recording the users login time and a database
session. If the user then clicks the logout link, the
database is update with their logout time and unlocks
their account by removing the database session.

The problem lies when the user closes the browser ("X").

When this happens, the IIS session is terminated, which is
okay, but the database does not get updated and their
database session is not removed. We have another process
which will then come along and remove inactive database
sessions after 10 minutes of inactivity. So, during this
period of time, the user would not be aloud to log back
in. I am trying to find a way to capture this scenario so
that I can make a call down to the database to force their
account to logout, hence removing the database session.

Any ideas whatsoever would be greatly appreciated.


Unfortunately, there's no reliable way to do it. You could try using
Session_OnEnd() event, but that's not reliable either. Note, that the
behavior you describe above is not really that bad. I have some credit card
websites that will do the same thing to me if I don't logout. They usually
display a message notifying the user that the open session will
automatically close after X number of minutes (in other words, try back in a
few minutes).

You could try storing a cookie on the client, but I don't think I would
recommend that option.

Regards,
Peter Foti
Jul 19 '05 #3

P: n/a
"Mark Schupp" <ms*****@ielearning.com> wrote in message
news:uZ**************@tk2msftngp13.phx.gbl...
From what I have seen in this group there is no reliable way to capture the end of session when the user closes the browser.

you could modify your login function so that if it detects an active session for the user attempting to log in:
tell the user that they have a session active
ask if they want to terminate that session and login again


Of course, that would be a bad idea from a security point of view.

Regards,
Peter Foti
Jul 19 '05 #4

P: n/a

"Peter Foti" <pe***@Idontwantnostinkingemailfromyou.com> wrote in message
news:10*************@corp.supernews.com...
for the user attempting to log in:
tell the user that they have a session active
ask if they want to terminate that session and login again


Of course, that would be a bad idea from a security point of view.


depends how its implemented - if every user has a unique ID/password/IP
address then I dont see why it would be a risk... the person logging on
should be the same person who logged off surely, or am I missing something
obvious? (Highly likely!)

Jul 19 '05 #5

P: n/a
"Dan Boylett" <ms*******@crossdata.co.uk> wrote in message
news:eW*************@tk2msftngp13.phx.gbl...

"Peter Foti" <pe***@Idontwantnostinkingemailfromyou.com> wrote in message
news:10*************@corp.supernews.com...
for the user attempting to log in:
tell the user that they have a session active
ask if they want to terminate that session and login again


Of course, that would be a bad idea from a security point of view.


depends how its implemented - if every user has a unique ID/password/IP
address then I dont see why it would be a risk... the person logging on
should be the same person who logged off surely, or am I missing something
obvious? (Highly likely!)


For the most part, you are correct... the average Joe would not know the
next guys username info and the person logging on *should* be the same
person. The problem, though, is that a hacker could be trying to gain
access to the system, and if it ended your session every time he tried to
login with your username, then that would be bad. It's a very small
security risk, but a risk none the less.

Regards,
Peter
Jul 19 '05 #6

This discussion thread is closed

Replies have been disabled for this discussion.