473,702 Members | 2,357 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Is Session Always Cleared?

Greetings,

I was wondering if anyone here has a good understaning of the Session
object. I know there are options like the Session.Abandon method and the
regenerateExpir edSessionId setting, although I do not understand what they
do.

Can anyone tell me if it's possible for a recycled session to still contain
the old data? I had a couple of reports that where users said they logged on
and saw another user's data. On this site, there were a couple of cases
where I used the Session object to track information about the current user.

Thanks for any tips or links.

Jonathan

Sep 25 '08 #1
16 1839
Jonathan Wood wrote:
Greetings,

I was wondering if anyone here has a good understaning of the Session
object. I know there are options like the Session.Abandon method and the
regenerateExpir edSessionId setting, although I do not understand what
they do.

Can anyone tell me if it's possible for a recycled session to still
contain the old data? I had a couple of reports that where users said
they logged on and saw another user's data. On this site, there were a
couple of cases where I used the Session object to track information
about the current user.

Thanks for any tips or links.

Jonathan
The session id is stored in a cookie in the browser, and is matched
against the existing Session objects on the server.

If a Session object has timed out, it's gone forever. If an expired
session id is reused, a new empty Session object is created for it.

A session id could possible be spoofed, but that is hardly what your
users are doing, so the Session objects are most likely not the reason
why some user could see some other users data.

Are you using any static variables in your application?

--
Göran Andersson
_____
http://www.guffa.com
Sep 25 '08 #2
"Göran Andersson" <gu***@guffa.co mwrote in message
news:%2******** *******@TK2MSFT NGP06.phx.gbl.. .
The session id is stored in a cookie in the browser, and is matched
against the existing Session objects on the server.

If a Session object has timed out, it's gone forever. If an expired
session id is reused, a new empty Session object is created for it.

A session id could possible be spoofed, but that is hardly what your users
are doing, so the Session objects are most likely not the reason why some
user could see some other users data.
Yeah, no one is trying to hack the site. So, as far as you are concerned,
one session would never see the Session data used by another user?
Are you using any static variables in your application?
No, I store any persisting data in the Session object or the database. It's
the first big site I created (although I've been programming for many, many
years). I'm now prepared to review my code in detail but, to be honest, I
really have no idea what this could be.

Note that, normally, the site works exactly as expected.

Thanks.

Jonathan

Sep 25 '08 #3
Your problem is not session. It is more likely you have a cache issue, a
singleton, static variables or the users are using the same computer.
Perhaps you have something stored in application, or you have tried some
form of global object. The session, used as a place to hang session data, is
not a problem.

--
Gregory A. Beamer
MVP, MCP: +I, SE, SD, DBA

Subscribe to my blog
http://feeds.feedburner.com/GregoryBeamer#

or just read it:
http://feeds.feedburner.com/GregoryBeamer

*************** *************** **************
| Think outside the box! |
*************** *************** **************
"Jonathan Wood" <jw***@softcirc uits.comwrote in message
news:Ol******** ******@TK2MSFTN GP02.phx.gbl...
Greetings,

I was wondering if anyone here has a good understaning of the Session
object. I know there are options like the Session.Abandon method and the
regenerateExpir edSessionId setting, although I do not understand what they
do.

Can anyone tell me if it's possible for a recycled session to still
contain the old data? I had a couple of reports that where users said they
logged on and saw another user's data. On this site, there were a couple
of cases where I used the Session object to track information about the
current user.

Thanks for any tips or links.

Jonathan
Sep 25 '08 #4
Thanks for the additional vote of confidence on Session.

There is a slight possibility that at least one of the users did log on as
other users. I will quiz them on if they might have logged on as the users
whose data they saw when they logged on as themselves.

I don't know that's the issue but I'll explore it. Is there as straight
forward way to allow multiple users to log on from the same computer?

Jonathan

"Cowboy (Gregory A. Beamer)" <No************ @comcast.netNoS pamMwrote in
message news:%2******** ********@TK2MSF TNGP05.phx.gbl. ..
Your problem is not session. It is more likely you have a cache issue, a
singleton, static variables or the users are using the same computer.
Perhaps you have something stored in application, or you have tried some
form of global object. The session, used as a place to hang session data,
is not a problem.

--
Gregory A. Beamer
MVP, MCP: +I, SE, SD, DBA

Subscribe to my blog
http://feeds.feedburner.com/GregoryBeamer#

or just read it:
http://feeds.feedburner.com/GregoryBeamer

*************** *************** **************
| Think outside the box! |
*************** *************** **************
"Jonathan Wood" <jw***@softcirc uits.comwrote in message
news:Ol******** ******@TK2MSFTN GP02.phx.gbl...
>Greetings,

I was wondering if anyone here has a good understaning of the Session
object. I know there are options like the Session.Abandon method and the
regenerateExpi redSessionId setting, although I do not understand what
they do.

Can anyone tell me if it's possible for a recycled session to still
contain the old data? I had a couple of reports that where users said
they logged on and saw another user's data. On this site, there were a
couple of cases where I used the Session object to track information
about the current user.

Thanks for any tips or links.

Jonathan
Sep 25 '08 #5
Jonathan Wood explained :
Thanks for the additional vote of confidence on Session.

There is a slight possibility that at least one of the users did log on as
other users. I will quiz them on if they might have logged on as the users
whose data they saw when they logged on as themselves.

I don't know that's the issue but I'll explore it. Is there as straight
forward way to allow multiple users to log on from the same computer?

Jonathan
What exactly do you mean by "multiple users logging in from the same
computer"?

If there is just one user at a time then there shouldn't be a problem.
If the first user closes his browser after he is finished, the session
cookie is forgotten. A new browser instance will use a new session.
When the first user logs out, you can destroy the session server side
(Session.Abando n).

However, two users at *the same time* from the same computer could lead
to problems. The various browser windows could use the same cookie set.
So when a second user opens a new window, he could be automatically
using the session of the first user.

I think that firefox uses the same cookieset for all it's windows. For
IE it depends on how the new window is started.

Hans Kesting
Sep 25 '08 #6
Hans,
What exactly do you mean by "multiple users logging in from the same
computer"?
I'm sorry. It's hard to know how to better state it than that. Unless you
clarify which part is unclear.
If there is just one user at a time then there shouldn't be a problem.
If the first user closes his browser after he is finished, the session
cookie is forgotten. A new browser instance will use a new session.
When the first user logs out, you can destroy the session server side
(Session.Abando n).
Well, I don't know if it's a given that the browser was closed in between.
But even if it was, the cookie could remain after the browser is closed.
However, what if any data remains from that cookie is something I don't
know.
However, two users at *the same time* from the same computer could lead to
problems. The various browser windows could use the same cookie set. So
when a second user opens a new window, he could be automatically using the
session of the first user.
No, I'm not considering the possibility that multiple users were logging on
to the site one the same computer at the same time.
I think that firefox uses the same cookieset for all it's windows. For IE
it depends on how the new window is started.
In fact, the case where I have the most information about the problem (which
isn't much) is specifically on FireFox. But I still don't see how this could
be an issue.

Thanks.

Jonathan

Sep 25 '08 #7
on 25-9-2008, Jonathan Wood supposed :
Hans,
>What exactly do you mean by "multiple users logging in from the same
computer"?

I'm sorry. It's hard to know how to better state it than that. Unless you
clarify which part is unclear.
I gave some possibilities below
>If there is just one user at a time then there shouldn't be a problem.
If the first user closes his browser after he is finished, the session
cookie is forgotten. A new browser instance will use a new session.
When the first user logs out, you can destroy the session server side
(Session.Aband on).

Well, I don't know if it's a given that the browser was closed in between.
But even if it was, the cookie could remain after the browser is closed.
However, what if any data remains from that cookie is something I don't know.
The session cookie has no expiry-date so the browser treats it as a
temporary cookie. It does not get stored and disappears as soon as the
browser is closed.
>However, two users at *the same time* from the same computer could lead to
problems. The various browser windows could use the same cookie set. So
when a second user opens a new window, he could be automatically using the
session of the first user.

No, I'm not considering the possibility that multiple users were logging on
to the site one the same computer at the same time.
>I think that firefox uses the same cookieset for all it's windows. For IE
it depends on how the new window is started.

In fact, the case where I have the most information about the problem (which
isn't much) is specifically on FireFox. But I still don't see how this could
be an issue.
A guess: the first user did not log out and did not close his browser
window, but minimised it. The second user thought he started a fresh
instance of the browser but got a new window of the first instance,
with the session cookie (and thus the session) of the first user.
Thanks.

Jonathan

Sep 25 '08 #8
Hans,
The session cookie has no expiry-date so the browser treats it as a
temporary cookie. It does not get stored and disappears as soon as the
browser is closed.
So what do you know about what happens if the browse is not closed? If the
user enters their username and password, can you think of any way they'd
still see data from the previous login?
A guess: the first user did not log out and did not close his browser
window, but minimised it. The second user thought he started a fresh
instance of the browser but got a new window of the first instance, with
the session cookie (and thus the session) of the first user.
But it seems quite certain that the second user (actually, it's one person
but I'll leave the details out) logged in using the Login control. Can you
think of any way that could happen without resetting the session?

Thanks.

Jonathan

Sep 25 '08 #9
What normally happens in these scenarios is user 2 (or user 1 logging in as
user 2) spawns a second browser instance using File >N (or control + N).
This puts the second instance in the process space for the first instance.
They then use the site under that context and switch back to context 1. Or
user 1 comes back and instance 1 is still open.

You see it a lot in testing and have to train testers to open a new browser
instance from the start menu. This is especially true in "manager testing".

In these cases, you are grabbing the same session.

--
Gregory A. Beamer
MVP, MCP: +I, SE, SD, DBA

Subscribe to my blog
http://feeds.feedburner.com/GregoryBeamer#

or just read it:
http://feeds.feedburner.com/GregoryBeamer

*************** *************** **************
| Think outside the box! |
*************** *************** **************
"Hans Kesting" <ne*********@sp amgourmet.comwr ote in message
news:eF******** ******@TK2MSFTN GP02.phx.gbl...
Jonathan Wood explained :
>Thanks for the additional vote of confidence on Session.

There is a slight possibility that at least one of the users did log on
as other users. I will quiz them on if they might have logged on as the
users whose data they saw when they logged on as themselves.

I don't know that's the issue but I'll explore it. Is there as straight
forward way to allow multiple users to log on from the same computer?

Jonathan

What exactly do you mean by "multiple users logging in from the same
computer"?

If there is just one user at a time then there shouldn't be a problem.
If the first user closes his browser after he is finished, the session
cookie is forgotten. A new browser instance will use a new session.
When the first user logs out, you can destroy the session server side
(Session.Abando n).

However, two users at *the same time* from the same computer could lead to
problems. The various browser windows could use the same cookie set. So
when a second user opens a new window, he could be automatically using the
session of the first user.

I think that firefox uses the same cookieset for all it's windows. For IE
it depends on how the new window is started.

Hans Kesting

Sep 26 '08 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
7784
by: Paul | last post by:
Hmmm, didn't seem to work. I have set session.use_cookies = 1 and session.use_trans_sid = 1 in my php.ini file. Index.php contains: ---------------------------------------------------------------------------- <?php ini_set("session.use_cookies", "off"); ini_set("session.use_trans_sid", "on"); session_start(); $_SESSION = ""; $_SESSION = ""; echo "<form method='POST' action='login.php'>
9
3643
by: Pack Fan | last post by:
I've noticed that session variables will persist on Mac IE even after all browser windows have been closed. One must quit the program to clear the session variables. This presents a security risk for my session variable based security scheme. Basically, the risk is that a user will login to my site, close the window when done and allow someone else to come up to the machine, go back to my site and be logged into the previous user's...
8
1371
by: yabba | last post by:
When IE file/new/window is used a new IE window is opened to the same session as the original. Is there a way to force a new session? TIA
6
2384
by: Gonenc Ercan | last post by:
Hi, I ve ended up debugging a ASP.NET project (with about 380 files on the project .NET Framework 1.0 on IIS 5.0) which has a memory leak... The memory rises too fast. With about 25-30 active sessions (average) the memory rises about 300 MB's in an hour. I've checked the database (SQL Server 2000) and seen that there are lots of sleeping connections. (about 400!!!) I thought somewhere in the code they left the connection open, so decided...
1
2096
by: Wiktor Zychla | last post by:
Hello there, I've just encountered a strange problem with Session. In one particular scenario it is cleared between pages but the scenario is so specific that I am really, really startled. I've tried to look for similar situations in the group archive and it seems that few people have observed similar behaviour. None of them, however, got a clear explanation that would correspond to my problem. In my web application I put some...
4
1658
by: John | last post by:
Hi, I do a Response.Redirect(page), and on the second page I have redirected to, I get an object out of the session (or at least I attempt to). Just before the redirect I do: Session = tokenizer; On the redirected page, in PageLoad I do:
6
1596
by: mosscliffe | last post by:
I am testing for how/when a page is posted back and I decided to use a ViewState variable in PageLoad to set up a counter, but it appears, the ViewState is cleared on each PageLoad. So then I used SESSION and that worked. Am I correct in assuming ViewState is cleared on each PageLoad or is my code incorrect. VIEWSTATE If IsNothing(ViewState("PbCounter")) Then
1
3851
by: Chad | last post by:
When I visit a specific web page, Request.aspx, for some reason my session variables are cleared. I noticed that there is a "EnableSessionState" property on the document object that has three allowed states "True", "false" and "Readonly". I would assume that by default, if not specified, it is "true". however, I decided to explicitly set it to true to see if it helps. i set it to true in the WebForm. no luck.. Then i realized that...
5
2632
by: knyghtfyre | last post by:
Hello, My company is developing a rather large application with .NET 2.0. We are expanding to a server farm and are in the process of converting our application to use an out-of-process session state management with SQL Server. We have ran into a problem with the Session_onEnd event. We know it's not supposed to fire when in an out-of-process mode, but we have a large amount of code that must be executed to clean the session and to
0
8652
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
9234
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
9086
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
8979
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
8939
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
1
6575
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
4667
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
3104
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
2399
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.