473,322 Members | 1,538 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,322 software developers and data experts.

Killing off my sessions

Hi all,

Having created a secure login, and then create session variables to detect
wether or not a user is logged in - I would now like to be able to off a log
out page! :)

I have found the following three in the intelli-help stuff :

Session.Abandon()
Session.Clear()
Session.RemoveAll()

In vanilla ASP I'd have used Session.Abandon - and probably on its own - is
this still ok/good enough - should I use the lot?
Any info would be appreciated please.

Regards
Rob
Nov 18 '05 #1
14 1404
Session clear or removeall is your best bet

--
Regards,
Alvin Bruney [ASP.NET MVP]
Got tidbits? Get it here...
http://tinyurl.com/3he3b
"Rob Meade" <ro**********@NOSPAMubht.swest.nhs.uk> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl...
Hi all,

Having created a secure login, and then create session variables to detect
wether or not a user is logged in - I would now like to be able to off a log out page! :)

I have found the following three in the intelli-help stuff :

Session.Abandon()
Session.Clear()
Session.RemoveAll()

In vanilla ASP I'd have used Session.Abandon - and probably on its own - is this still ok/good enough - should I use the lot?
Any info would be appreciated please.

Regards
Rob

Nov 18 '05 #2
"Alvin Bruney [MVP]" wrote ...
Session clear or removeall is your best bet


Hello Alvin,

Not that I dont believe you - but can you tell me why these are better than
session.abandon (just so that I have a better understanding etc)...

My need is to get rid of the session asap when the logout.aspx page loads -
so I was dumping the code into the page_load event.

Any further help is appreciated,

Regards

Rob
Nov 18 '05 #3
I think Session.Abandon() is the best choice. The other two - Clear() and
RemoveAll() delete all session values but to not terminate the session.
Once you call Session.Abandon(), neither you, ASP.Net, nor the client will
ever be able to access those values whether or not you call Clear() or
RemoveAll().

The only one needed is Session.Abandon().

Dale

"Alvin Bruney [MVP]" <vapor at steaming post office> wrote in message
news:OT**************@TK2MSFTNGP11.phx.gbl...
Session clear or removeall is your best bet

--
Regards,
Alvin Bruney [ASP.NET MVP]
Got tidbits? Get it here...
http://tinyurl.com/3he3b
"Rob Meade" <ro**********@NOSPAMubht.swest.nhs.uk> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl...
Hi all,

Having created a secure login, and then create session variables to detect wether or not a user is logged in - I would now like to be able to off a

log
out page! :)

I have found the following three in the intelli-help stuff :

Session.Abandon()
Session.Clear()
Session.RemoveAll()

In vanilla ASP I'd have used Session.Abandon - and probably on its own -

is
this still ok/good enough - should I use the lot?
Any info would be appreciated please.

Regards
Rob


Nov 18 '05 #4
Abandon() kills the session, so it should be adequate for killing the
session. RemoveAll() will clear out the session values without killing the
session. Clear() does the same thing.

I think the reasoning for the other methods is to force the user out when
they hit the back button. It does not work if they are running under cached
pages anyway, so it is largely an exercise in futility.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

************************************************** ********************
Think Outside the Box!
************************************************** ********************
"Rob Meade" <ro**********@NOSPAMubht.swest.nhs.uk> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl...
Hi all,

Having created a secure login, and then create session variables to detect
wether or not a user is logged in - I would now like to be able to off a log out page! :)

I have found the following three in the intelli-help stuff :

Session.Abandon()
Session.Clear()
Session.RemoveAll()

In vanilla ASP I'd have used Session.Abandon - and probably on its own - is this still ok/good enough - should I use the lot?
Any info would be appreciated please.

Regards
Rob

Nov 18 '05 #5
session.abandon() does fire the session_end event in global.asax - clear(),
remove() does not.

so go for session.abandon()

regards
pat
"DalePres" <don-t-spa-m-me@lea-ve-me-a-lone--.com> wrote in message
news:#d**************@TK2MSFTNGP11.phx.gbl...
I think Session.Abandon() is the best choice. The other two - Clear() and
RemoveAll() delete all session values but to not terminate the session.
Once you call Session.Abandon(), neither you, ASP.Net, nor the client will ever be able to access those values whether or not you call Clear() or
RemoveAll().

The only one needed is Session.Abandon().

Dale

"Alvin Bruney [MVP]" <vapor at steaming post office> wrote in message
news:OT**************@TK2MSFTNGP11.phx.gbl...
Session clear or removeall is your best bet

--
Regards,
Alvin Bruney [ASP.NET MVP]
Got tidbits? Get it here...
http://tinyurl.com/3he3b
"Rob Meade" <ro**********@NOSPAMubht.swest.nhs.uk> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl...
Hi all,

Having created a secure login, and then create session variables to detect wether or not a user is logged in - I would now like to be able to off
a log
out page! :)

I have found the following three in the intelli-help stuff :

Session.Abandon()
Session.Clear()
Session.RemoveAll()

In vanilla ASP I'd have used Session.Abandon - and probably on its
own - is
this still ok/good enough - should I use the lot?
Any info would be appreciated please.

Regards
Rob



Nov 18 '05 #6
This is not correct, please see my earlier post for an explanation on why it
isn't so.

--
Regards,
Alvin Bruney [ASP.NET MVP]
Got tidbits? Get it here...
http://tinyurl.com/3he3b
"Patrick" <pa*****@nn.com> wrote in message
news:uc**************@tk2msftngp13.phx.gbl...
session.abandon() does fire the session_end event in global.asax - clear(), remove() does not.

so go for session.abandon()

regards
pat
"DalePres" <don-t-spa-m-me@lea-ve-me-a-lone--.com> wrote in message
news:#d**************@TK2MSFTNGP11.phx.gbl...
I think Session.Abandon() is the best choice. The other two - Clear() and
RemoveAll() delete all session values but to not terminate the session.
Once you call Session.Abandon(), neither you, ASP.Net, nor the client will
ever be able to access those values whether or not you call Clear() or
RemoveAll().

The only one needed is Session.Abandon().

Dale

"Alvin Bruney [MVP]" <vapor at steaming post office> wrote in message
news:OT**************@TK2MSFTNGP11.phx.gbl...
Session clear or removeall is your best bet

--
Regards,
Alvin Bruney [ASP.NET MVP]
Got tidbits? Get it here...
http://tinyurl.com/3he3b
"Rob Meade" <ro**********@NOSPAMubht.swest.nhs.uk> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl...
> Hi all,
>
> Having created a secure login, and then create session variables to

detect
> wether or not a user is logged in - I would now like to be able to

off a log
> out page! :)
>
> I have found the following three in the intelli-help stuff :
>
> Session.Abandon()
> Session.Clear()
> Session.RemoveAll()
>
> In vanilla ASP I'd have used Session.Abandon - and probably on its own - is
> this still ok/good enough - should I use the lot?
> Any info would be appreciated please.
>
> Regards
> Rob
>
>



Nov 18 '05 #7
This article may help clear up some of your answers.
http://www.devdex.com/gurus/articles/746.asp

--
Regards,
Alvin Bruney [ASP.NET MVP]
Got tidbits? Get it here...
http://tinyurl.com/3he3b
"Rob Meade" <ro**********@NOSPAMubht.swest.nhs.uk> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...
"Alvin Bruney [MVP]" wrote ...
Session clear or removeall is your best bet
Hello Alvin,

Not that I dont believe you - but can you tell me why these are better

than session.abandon (just so that I have a better understanding etc)...

My need is to get rid of the session asap when the logout.aspx page loads - so I was dumping the code into the page_load event.

Any further help is appreciated,

Regards

Rob

Nov 18 '05 #8
> Once you call Session.Abandon(), neither you, ASP.Net, nor the client
will
ever be able to access those values whether or not you call Clear() or
RemoveAll().
This is not technically accurate. It is possible to access session objects
even after session abandon is called. Page execution would have to totally
cease before your statement would be technically correct. The reason why I
suggested clear or removeall is because in most circumstances it would work.
Consider this: most security code cleanup is usually placed in the session
end event with a strong dependence on the uniqueness of the session id. In
this scenario, calling session abandon will lead to an application which is
not well behaved since session end isn't guaranteed to be called even in
InProc mode.

The literature on this is equally confusing as well but it's rather trivial
to write code to demonstrate this. It doesn't help also that the MSDN help
on session abandon is not accurate as well. There's a lot going on, enough
to be very cautious about giving a clear cut answer. In a nutshell, it
really depends on how your code is structured and what you want to
accomplish. If you want to clear the dictionary, any method will do equally
well. If what you are after is tracking sessions/logins/id's you have to be
very careful with which method you select.
--
Regards,
Alvin Bruney [ASP.NET MVP]
Got tidbits? Get it here...
http://tinyurl.com/3he3b
"DalePres" <don-t-spa-m-me@lea-ve-me-a-lone--.com> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl... I think Session.Abandon() is the best choice. The other two - Clear() and
RemoveAll() delete all session values but to not terminate the session.
Once you call Session.Abandon(), neither you, ASP.Net, nor the client will ever be able to access those values whether or not you call Clear() or
RemoveAll().

The only one needed is Session.Abandon().

Dale

"Alvin Bruney [MVP]" <vapor at steaming post office> wrote in message
news:OT**************@TK2MSFTNGP11.phx.gbl...
Session clear or removeall is your best bet

--
Regards,
Alvin Bruney [ASP.NET MVP]
Got tidbits? Get it here...
http://tinyurl.com/3he3b
"Rob Meade" <ro**********@NOSPAMubht.swest.nhs.uk> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl...
Hi all,

Having created a secure login, and then create session variables to detect wether or not a user is logged in - I would now like to be able to off
a log
out page! :)

I have found the following three in the intelli-help stuff :

Session.Abandon()
Session.Clear()
Session.RemoveAll()

In vanilla ASP I'd have used Session.Abandon - and probably on its
own - is
this still ok/good enough - should I use the lot?
Any info would be appreciated please.

Regards
Rob



Nov 18 '05 #9
"Cowboy (Gregory A. Beamer)" wrote ...
It does not work if they are running under cached
pages anyway, so it is largely an exercise in futility.


Do you mean regardless of which of the above I use it'll make no difference
if their pages are cached?

In which case, should I also be adding the no cache stuff to the top of the
page (headers?) like I think I once did in ASP?

Regards

Rob
Nov 18 '05 #10
"Alvin Bruney [MVP]" wrote ...
This article may help clear up some of your answers.
http://www.devdex.com/gurus/articles/746.asp


Thanks for the reply+link - off to have a looky now.

Regards

Rob
Nov 18 '05 #11
"Alvin Bruney [MVP]" wrote ...
This article may help clear up some of your answers.
http://www.devdex.com/gurus/articles/746.asp


Hi Alvin,

I have just read that article, thank you, however I am not using the
session_end event - so does this apply? ie, I have no code in the
global.asax session_end - all I want to do is on the logout.aspx page dump
everything at that stage.

I am currently using all three methods - ie, still the same since posting
this yesterday, when I click on the logout button I get redirected to the
logout page, this then uses all three methods, and some text saying you've
been logged out is displayed.

I tested this this morning by then changing the URL at the top of the page
to a page that if the session was still alive should have let me in, instead
it redirected me to the login page.

Aside from swapping these around and testing each in turn to see if one or
more gives me the result I want (which I currently have with all 3) any
ideas on which I should be using?

Not sure how to test the cached pages stuff that was mentioned yesterday -
is that simply the browser settings for caching (ie, dont get a new page
ever) or something else I'd need to change.

Regards

Rob
Nov 18 '05 #12
Thank you for pointing out the confusion. I was not even thinking about
server cache at the time. I was focusing on the client cache from the user's
browser. When a user has IE set to cache pages, they can hit the back button
and scroll back through the pages in their cache. You can avoid this by
timing out the pages, but then it gives you the ugly "page no longer valid"
message (better than allowing them to hit a page after a session end).

The caching option on the server side is a different creature. Using the
default caching does not affect Session timing out, abandon, et al. I was
focused solely on the client side cache.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

************************************************** ********************
Think Outside the Box!
************************************************** ********************
"Rob Meade" <ro**********@NOSPAMubht.swest.nhs.uk> wrote in message
news:OA**************@TK2MSFTNGP10.phx.gbl...
"Cowboy (Gregory A. Beamer)" wrote ...
It does not work if they are running under cached
pages anyway, so it is largely an exercise in futility.
Do you mean regardless of which of the above I use it'll make no

difference if their pages are cached?

In which case, should I also be adding the no cache stuff to the top of the page (headers?) like I think I once did in ASP?

Regards

Rob

Nov 18 '05 #13
Session.Abandon() is your best bet.

with regards,
J.V.Ravichandran
- http://www.geocities.com/
jvravichandran
- http://www.411asp.net/func/search?
qry=Ravichandran+J.V.&cob=aspnetpro
- http://www.southasianoutlook.com
- http://www.MSDNAA.Net
- http://www.csharphelp.com
- http://www.poetry.com/Publications/
display.asp?ID=P3966388&BN=999&PN=2
- Or, just search on "J.V.Ravichandran"
at http://www.Google.com

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Nov 18 '05 #14
"Cowboy (Gregory A. Beamer)" wrote ...
You can avoid this by timing out the pages,
using...

I think we used to use stuff like adding headers to the page in regular
ASP - same in .net?
but then it gives you the ugly "page no longer valid"
message (better than allowing them to hit a page after a session end).


Anyway to replace that page with one of my own? Or is that controlled via
the servers custom error pages etc?
Nov 18 '05 #15

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
by: Danes | last post by:
Does anyone know why Oracle does not provide a package for really killing dbms jobs? I found that lots of people write about how it is done - including oracle - but yet Oracle fail to write a...
3
by: Raghu Raman | last post by:
Hi, am in c#.net project. am using the session object for some logic. e-g:session="Add"; i can refer this by using if(Session=="Add") { logic
0
by: Danes | last post by:
Does anyone know why Oracle does not provide a package for really killing dbms jobs? I found that lots of people write about how it is done - including oracle - but yet Oracle fail to write a...
3
by: eeriehunk | last post by:
Hi All, I am a little confused between a session and a process. I learnt that an Oracle Session is created for every login. And we can run many processes in one session. I have also learnt how to...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.