473,836 Members | 1,455 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Is Session Always Cleared?

Greetings,

I was wondering if anyone here has a good understaning of the Session
object. I know there are options like the Session.Abandon method and the
regenerateExpir edSessionId setting, although I do not understand what they
do.

Can anyone tell me if it's possible for a recycled session to still contain
the old data? I had a couple of reports that where users said they logged on
and saw another user's data. On this site, there were a couple of cases
where I used the Session object to track information about the current user.

Thanks for any tips or links.

Jonathan

Sep 25 '08
16 1853
Open a browser instance. Log in.

Type Control + N. Log in in the second browser instance. As both are held in
the same process space, the second browser affects what goes on in the first
browser instance. Try it yourself.

There are a few ways to circumvent this, like forcing a session abandon when
the login page is hit, warning on log in (may hav eto be generic), but the
best way is called User Education.

If the user has to run as two people at one time (a manager testing your
work, for example), tell them to start both browser instances this way:

Start >Internet Explorer

Then each holds its own process space and they will not share session. They
can also use this method:

Start >Internet Explorer
Start >Firefox
Start >Opera
Start >Safari

and test four users at once.

Now that I know the issue, I am very familiar with it. And unless the user
logs out every time and forces session.abandon , it will continue to happen.

If this is your type of user, I would also disable the back button. The
easiest way is to use JavaScript to go forward one page in history. Then
back takes them back to the current page. There are other tricks to do this.

--
Gregory A. Beamer
MVP, MCP: +I, SE, SD, DBA

Subscribe to my blog
http://feeds.feedburner.com/GregoryBeamer#

or just read it:
http://feeds.feedburner.com/GregoryBeamer

*************** *************** **************
| Think outside the box! |
*************** *************** **************
"Jonathan Wood" <jw***@softcirc uits.comwrote in message
news:%2******** ********@TK2MSF TNGP03.phx.gbl. ..
Hans,
>The session cookie has no expiry-date so the browser treats it as a
temporary cookie. It does not get stored and disappears as soon as the
browser is closed.

So what do you know about what happens if the browse is not closed? If the
user enters their username and password, can you think of any way they'd
still see data from the previous login?
>A guess: the first user did not log out and did not close his browser
window, but minimised it. The second user thought he started a fresh
instance of the browser but got a new window of the first instance, with
the session cookie (and thus the session) of the first user.

But it seems quite certain that the second user (actually, it's one person
but I'll leave the details out) logged in using the Login control. Can you
think of any way that could happen without resetting the session?

Thanks.

Jonathan
Sep 26 '08 #11
Heh, well "user education" is seldom an available option.

After talking with the client, it seems unlikely that the data he
inadvertantly saw was not for an account that he had recently logged into.
In fact, someone else reported the problem who does not have access to any
other accounts.

I'm officially completely baffled as to how this could ever happen.

Thanks.

--
Jonathan Wood
SoftCircuits Programming
http://www.softcircuits.com
"Cowboy (Gregory A. Beamer)" <No************ @comcast.netNoS pamMwrote in
message news:u8******** *******@TK2MSFT NGP06.phx.gbl.. .
Open a browser instance. Log in.

Type Control + N. Log in in the second browser instance. As both are held
in the same process space, the second browser affects what goes on in the
first browser instance. Try it yourself.

There are a few ways to circumvent this, like forcing a session abandon
when the login page is hit, warning on log in (may hav eto be generic),
but the best way is called User Education.

If the user has to run as two people at one time (a manager testing your
work, for example), tell them to start both browser instances this way:

Start >Internet Explorer

Then each holds its own process space and they will not share session.
They can also use this method:

Start >Internet Explorer
Start >Firefox
Start >Opera
Start >Safari

and test four users at once.

Now that I know the issue, I am very familiar with it. And unless the user
logs out every time and forces session.abandon , it will continue to
happen.

If this is your type of user, I would also disable the back button. The
easiest way is to use JavaScript to go forward one page in history. Then
back takes them back to the current page. There are other tricks to do
this.

--
Gregory A. Beamer
MVP, MCP: +I, SE, SD, DBA

Subscribe to my blog
http://feeds.feedburner.com/GregoryBeamer#

or just read it:
http://feeds.feedburner.com/GregoryBeamer

*************** *************** **************
| Think outside the box! |
*************** *************** **************
"Jonathan Wood" <jw***@softcirc uits.comwrote in message
news:%2******** ********@TK2MSF TNGP03.phx.gbl. ..
>Hans,
>>The session cookie has no expiry-date so the browser treats it as a
temporary cookie. It does not get stored and disappears as soon as the
browser is closed.

So what do you know about what happens if the browse is not closed? If
the user enters their username and password, can you think of any way
they'd still see data from the previous login?
>>A guess: the first user did not log out and did not close his browser
window, but minimised it. The second user thought he started a fresh
instance of the browser but got a new window of the first instance, with
the session cookie (and thus the session) of the first user.

But it seems quite certain that the second user (actually, it's one
person but I'll leave the details out) logged in using the Login control.
Can you think of any way that could happen without resetting the session?

Thanks.

Jonathan
Sep 27 '08 #12
Now that I know the issue, I am very familiar with it. And unless the user
logs out every time and forces session.abandon , it will continue to
happen.

In this situation, I use Session.RemoveA ll()

Will that clear all session variables the same as Session.Abandon ? I think
= yes.

What happens to a Session.Abandon (ed) visitor who continues to browse the
website after logging out?

Thank you
Oct 2 '08 #13
"my cats, Gag and yak" <mr********@com cast.netwrote in message
news:O5******** *************** *******@comcast .com...
>Now that I know the issue, I am very familiar with it. And unless the
user logs out every time and forces session.abandon , it will continue to
happen.

In this situation, I use Session.RemoveA ll()

Will that clear all session variables the same as Session.Abandon ? I
think = yes.
Yes, but there's more to it than that.

Session.Abandon includes Session.RemoveA ll and *also* deletes the SessionID
created for the session. So, subsequent requests would create a new session
with a new SessionID.

Session.RemoveA ll() will remove all the user defined session variables *but*
still keep the session intact.
What happens to a Session.Abandon (ed) visitor who continues to browse the
website after logging out?
See above...
--
Mark Rae
ASP.NET MVP
http://www.markrae.net

Oct 2 '08 #14
Am i correct in saying ( I am trying to understand ):

- a Session.RemoveA ll() removes all session variable, the same as
Abandon
- however, whoever logs back in uses the same ID, all other info has
been dropped

- Session.Abandon nukes everything
- meaning it also creates a new session?

Thank you
"Mark Rae [MVP]" <ma**@markNOSPA Mrae.netwrote in message
news:ON******** ******@TK2MSFTN GP04.phx.gbl...
"my cats, Gag and yak" <mr********@com cast.netwrote in message
news:O5******** *************** *******@comcast .com...
>>Now that I know the issue, I am very familiar with it. And unless the
user logs out every time and forces session.abandon , it will continue to
happen.

In this situation, I use Session.RemoveA ll()

Will that clear all session variables the same as Session.Abandon ? I
think = yes.

Yes, but there's more to it than that.

Session.Abandon includes Session.RemoveA ll and *also* deletes the
SessionID created for the session. So, subsequent requests would create a
new session with a new SessionID.

Session.RemoveA ll() will remove all the user defined session variables
*but* still keep the session intact.
>What happens to a Session.Abandon (ed) visitor who continues to browse the
website after logging out?

See above...
--
Mark Rae
ASP.NET MVP
http://www.markrae.net

Oct 2 '08 #15
"my cats, Gag and yak" <mr********@com cast.netwrote in message
news:lu******** *************** *******@comcast .com...

[top-posting corrected]
>>>Now that I know the issue, I am very familiar with it. And unless the
user logs out every time and forces session.abandon , it will continue
to happen.

In this situation, I use Session.RemoveA ll()

Will that clear all session variables the same as Session.Abandon ? I
think = yes.

Yes, but there's more to it than that.

Session.Abando n includes Session.RemoveA ll and *also* deletes the
SessionID created for the session. So, subsequent requests would create a
new session with a new SessionID.

Session.Remove All() will remove all the user defined session variables
*but* still keep the session intact.
>>What happens to a Session.Abandon (ed) visitor who continues to browse
the website after logging out?

See above...

Am I correct in saying ( I am trying to understand ):

- a Session.RemoveA ll() removes all session variables, the same as Abandon
- however, whoever logs back in uses the same ID, all other info has been
dropped

- Session.Abandon nukes everything - meaning it also creates a new
session?
The Session object, like almost any other object, has some properties and
methods.

As regards the Session object specifically, it has a collection of
name/value pairs which you, the developer, can read from and write to. When
the Session object is first created (i.e. when someone visits your site for
the first time), some of these name/value pairs are created automatically
for you, including the ID. You can query these initial name/value pairs, but
you can't remove them. However, you can add your own name/value pairs as
your application requires.

The Session object has a Remove() method. This allows you to remove one of
the individual name/value pairs (which you had previously added) from the
collection of name/value pairs.

The Session object has a RemoveAll() method. This allows you to remove all
of the individual name/value pairs (which you had previously added) from the
collection of name/value pairs. However, it does not destroy the Session
object itself, so all the read-only name/value pairs (e.g. the Session ID)
remain. If the user does not navigate away from your site or close their
browser, the Session object remains until / unless it times out naturally.

The Session object has an Abandon() method. This firstly calls the
RemoveAll() method, and then it tears down the session itself by destroying
the Session object. Therefore, if the user continues to try to use your
site, a new Session object will be created. Depending on how you have
designed and implemented the security on your site, the user will be
required to log in again.
--
Mark Rae
ASP.NET MVP
http://www.markrae.net

Oct 2 '08 #16
thank you for your explaination!

"Mark Rae [MVP]" <ma**@markNOSPA Mrae.netwrote in message
news:uA******** ******@TK2MSFTN GP05.phx.gbl...
"my cats, Gag and yak" <mr********@com cast.netwrote in message
news:lu******** *************** *******@comcast .com...

[top-posting corrected]
>>>>Now that I know the issue, I am very familiar with it. And unless the
user logs out every time and forces session.abandon , it will continue
to happen.

In this situation, I use Session.RemoveA ll()

Will that clear all session variables the same as Session.Abandon ? I
think = yes.

Yes, but there's more to it than that.

Session.Aband on includes Session.RemoveA ll and *also* deletes the
SessionID created for the session. So, subsequent requests would create
a new session with a new SessionID.

Session.Remov eAll() will remove all the user defined session variables
*but* still keep the session intact.

What happens to a Session.Abandon (ed) visitor who continues to browse
the website after logging out?

See above...

Am I correct in saying ( I am trying to understand ):

- a Session.RemoveA ll() removes all session variables, the same as
Abandon
- however, whoever logs back in uses the same ID, all other info has been
dropped

- Session.Abandon nukes everything - meaning it also creates a new
session?

The Session object, like almost any other object, has some properties and
methods.

As regards the Session object specifically, it has a collection of
name/value pairs which you, the developer, can read from and write to.
When the Session object is first created (i.e. when someone visits your
site for the first time), some of these name/value pairs are created
automatically for you, including the ID. You can query these initial
name/value pairs, but you can't remove them. However, you can add your own
name/value pairs as your application requires.

The Session object has a Remove() method. This allows you to remove one of
the individual name/value pairs (which you had previously added) from the
collection of name/value pairs.

The Session object has a RemoveAll() method. This allows you to remove all
of the individual name/value pairs (which you had previously added) from
the collection of name/value pairs. However, it does not destroy the
Session object itself, so all the read-only name/value pairs (e.g. the
Session ID) remain. If the user does not navigate away from your site or
close their browser, the Session object remains until / unless it times
out naturally.

The Session object has an Abandon() method. This firstly calls the
RemoveAll() method, and then it tears down the session itself by
destroying the Session object. Therefore, if the user continues to try to
use your site, a new Session object will be created. Depending on how you
have designed and implemented the security on your site, the user will be
required to log in again.
--
Mark Rae
ASP.NET MVP
http://www.markrae.net

Oct 2 '08 #17

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
7791
by: Paul | last post by:
Hmmm, didn't seem to work. I have set session.use_cookies = 1 and session.use_trans_sid = 1 in my php.ini file. Index.php contains: ---------------------------------------------------------------------------- <?php ini_set("session.use_cookies", "off"); ini_set("session.use_trans_sid", "on"); session_start(); $_SESSION = ""; $_SESSION = ""; echo "<form method='POST' action='login.php'>
9
3652
by: Pack Fan | last post by:
I've noticed that session variables will persist on Mac IE even after all browser windows have been closed. One must quit the program to clear the session variables. This presents a security risk for my session variable based security scheme. Basically, the risk is that a user will login to my site, close the window when done and allow someone else to come up to the machine, go back to my site and be logged into the previous user's...
8
1378
by: yabba | last post by:
When IE file/new/window is used a new IE window is opened to the same session as the original. Is there a way to force a new session? TIA
6
2390
by: Gonenc Ercan | last post by:
Hi, I ve ended up debugging a ASP.NET project (with about 380 files on the project .NET Framework 1.0 on IIS 5.0) which has a memory leak... The memory rises too fast. With about 25-30 active sessions (average) the memory rises about 300 MB's in an hour. I've checked the database (SQL Server 2000) and seen that there are lots of sleeping connections. (about 400!!!) I thought somewhere in the code they left the connection open, so decided...
1
2103
by: Wiktor Zychla | last post by:
Hello there, I've just encountered a strange problem with Session. In one particular scenario it is cleared between pages but the scenario is so specific that I am really, really startled. I've tried to look for similar situations in the group archive and it seems that few people have observed similar behaviour. None of them, however, got a clear explanation that would correspond to my problem. In my web application I put some...
4
1661
by: John | last post by:
Hi, I do a Response.Redirect(page), and on the second page I have redirected to, I get an object out of the session (or at least I attempt to). Just before the redirect I do: Session = tokenizer; On the redirected page, in PageLoad I do:
6
1612
by: mosscliffe | last post by:
I am testing for how/when a page is posted back and I decided to use a ViewState variable in PageLoad to set up a counter, but it appears, the ViewState is cleared on each PageLoad. So then I used SESSION and that worked. Am I correct in assuming ViewState is cleared on each PageLoad or is my code incorrect. VIEWSTATE If IsNothing(ViewState("PbCounter")) Then
1
3858
by: Chad | last post by:
When I visit a specific web page, Request.aspx, for some reason my session variables are cleared. I noticed that there is a "EnableSessionState" property on the document object that has three allowed states "True", "false" and "Readonly". I would assume that by default, if not specified, it is "true". however, I decided to explicitly set it to true to see if it helps. i set it to true in the WebForm. no luck.. Then i realized that...
5
2639
by: knyghtfyre | last post by:
Hello, My company is developing a rather large application with .NET 2.0. We are expanding to a server farm and are in the process of converting our application to use an out-of-process session state management with SQL Server. We have ran into a problem with the Session_onEnd event. We know it's not supposed to fire when in an out-of-process mode, but we have a large amount of code that must be executed to clean the session and to
0
9673
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
10859
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
10560
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
0
10260
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
1
7795
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
5653
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
1
4463
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
4023
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
3
3116
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.