It appears that AOL does not clear session variables after you disconnect.

I have an application that uses a global.asa for session variables. The 

way it works with IE and Netscape is that when you set the Session.Timeout 

= 10, the following will happen:



1. If you are idle for 10 minutes, you get logged off.

2. If you close the browser for either IE or Netscape, it clears 

everyhing, which is equiv to logging off(the session ends).



My problem is with AOL. What seems to be happening is that if one user 

logs on and then disconnects from AOL, the next person to log on, still 

has the session from the previous person logged on. Something is not being 

cleared out. For Example, I logged on as admin, where I can see all 

appointents. Then I disconnected AOL. When I re-connected and just clicked 

the submit button with no logon info, it still brought up the info from 

the admin. This does not occur in IE or Netscape. I would be prompted to 

enter logon info.



Does anyone know why the session is still open after I disconnect and re-

connect with AOL?  What can I do to make this work? I should not have to 

clear cache and/or history, because I dont have to do this with IE and 

Netscape.  HHHHEEELLLPPP!



Thanks,



Larry

When you say "AOL," I am assuning you mean that AOL is your Internet Service

Provider (ISP) and you connect and browse with AOL's specialized software.



Are you then using AOL's specialized software to browse to your page and

form? What version of AOL software are you using? I suspect that AOL's

embedded web browser keeps a session alive.



You could try using Internet Explorer (or Netscape) outside of AOL software

but using the AOL connection -- make your AOL connection and then open

Internet Explorer. You should be able to use the AOL software and Internet

Explorer at the same time.



For the long term, in my opinion, I would suggest dumping AOL and getting

"pure" and "clean" Internet access without the burden of AOL's arcane

front-end software.





-- Z









----- Original Message -----

From: "Larry Rosenzweig" <rosenzl@o...>

To: "Access ASP" <access_asp@p...>

Sent: Wednesday, February 20, 2002 6:33 PM

Subject: [access_asp] This is a second request for AOL problem





> It appears that AOL does not clear session variables after you disconnect.

> I have an application that uses a global.asa for session variables. The

> way it works with IE and Netscape is that when you set the Session.Timeout

> = 10, the following will happen:

>

> 1. If you are idle for 10 minutes, you get logged off.

> 2. If you close the browser for either IE or Netscape, it clears

> everyhing, which is equiv to logging off(the session ends).

>

> My problem is with AOL. What seems to be happening is that if one user

> logs on and then disconnects from AOL, the next person to log on, still

> has the session from the previous person logged on. Something is not being

> cleared out. For Example, I logged on as admin, where I can see all

> appointents. Then I disconnected AOL. When I re-connected and just clicked

> the submit button with no logon info, it still brought up the info from

> the admin. This does not occur in IE or Netscape. I would be prompted to

> enter logon info.

>

> Does anyone know why the session is still open after I disconnect and re-

> connect with AOL?  What can I do to make this work? I should not have to

> clear cache and/or history, because I dont have to do this with IE and

> Netscape.  HHHHEEELLLPPP!

>

> Thanks,

>

> Larry

>




$subst('Email.Unsub').

>

Z, thanks for getting back to me. I use IE 6.0 and have no problems. I 

have Netscape and have no problems. I gave a demo at a doctor's office and 

the Doctor prefers AOL. He said 25 mIllion people use it. I know it 

stinks. The Doctor had IE, but said it's not actived. I told him, all you 

have to do is install it. He didn't want to bother.



Anyway, what he did was dialed in to AOL. Then once on the inernet, we 

entered my domain in the address bar. Once we were connected, we got into 

my application ok. When we got to the authentication screen and enter an 

email address and password for me (admin), all wa still ok. The problem 

arose after we disconnected from AOL and then dialed in again. Even though 

I signed on with a different email and password, the previous session was 

still active.



I had a friend try this on a different PC with AOL, but this time I had 

them logon as a non-admin. When they disconnected AOL and then 

reconnected, they were able to get into the application, simply by 

clicking the submit button. Bottom line is that session was still active.



I cannot make everyone change to IE or Netscape. Is there a simple way to 

make the session end, without shutting down or restarting the PC?



This could be a very dangerous security breach.  You log off, someone else 

logs on and they are still in your active session, even though they 

entered a new email address and password.



I would think there are many web developers that use the Global.asa for 

session variables, who also connect to AOL. I hope I'm wrong.



Any Ideas?



Thank you very much!



Larry  











> When you say "AOL," I am assuning you mean that AOL is your Internet 

Service

> Provider (ISP) and you connect and browse with AOL's specialized 

software.

> 

> Are you then using AOL's specialized software to browse to your page and

> form? What version of AOL software are you using? I suspect that AOL's

> embedded web browser keeps a session alive.

> 

> You could try using Internet Explorer (or Netscape) outside of AOL 

software

> but using the AOL connection -- make your AOL connection and then open

> Internet Explorer. You should be able to use the AOL software and 

Internet

> Explorer at the same time.

> 

> For the long term, in my opinion, I would suggest dumping AOL and getting

> "pure" and "clean" Internet access without the burden of AOL's arcane

> front-end software.

> 

> 

> -- Z

> 

> 

> 

> 

> ----- Original Message -----

> From: "Larry Rosenzweig" <rosenzl@o...>

> To: "Access ASP" <access_asp@p...>

> Sent: Wednesday, February 20, 2002 6:33 PM

> Subject: [access_asp] This is a second request for AOL problem

> 

> 

> > It appears that AOL does not clear session variables after you 

disconnect.

> > I have an application that uses a global.asa for session variables. The

> > way it works with IE and Netscape is that when you set the 

Session.Timeout

> > = 10, the following will happen:

> >

> > 1. If you are idle for 10 minutes, you get logged off.

> > 2. If you close the browser for either IE or Netscape, it clears

> > everyhing, which is equiv to logging off(the session ends).

> >

> > My problem is with AOL. What seems to be happening is that if one user

> > logs on and then disconnects from AOL, the next person to log on, still

> > has the session from the previous person logged on. Something is not 

being

> > cleared out. For Example, I logged on as admin, where I can see all

> > appointents. Then I disconnected AOL. When I re-connected and just 

clicked

> > the submit button with no logon info, it still brought up the info from

> > the admin. This does not occur in IE or Netscape. I would be prompted 

to

> > enter logon info.

> >

> > Does anyone know why the session is still open after I disconnect and 

re-

> > connect with AOL?  What can I do to make this work? I should not have 

to

> > clear cache and/or history, because I dont have to do this with IE and

> > Netscape.  HHHHEEELLLPPP!

> >

> > Thanks,

> >

> > Larry

> >




> $subst('Email.Unsub').

> >

> 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

: This could be a very dangerous security breach.  You log off, someone else

: logs on and they are still in your active session, even though they

: entered a new email address and password.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



This sounds like a bug in your application.



How are you maintaining session state? Using the built-in ASP session

object? Have you *ended* the session on the server? If so, then even if the

browser still returns an ASPSessionID cookie, the server wont have a record

of this session anymore, and should redirect the user back to the login

page.



Alternatively, it could be a caching issue. http://webmaster.aol.com has

information on the caching mechanisms used by AOL to cache webpages. Perhaps

you need to do more to prevent the pages being caught up in the AOL caching

system:

a) set appropriate HTTP headers:

b) add a cache-buster to each page (eg append an ?ID=<some large random

number or date/time> to each page)



Cheers

Ken



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From: "Larry Rosenzweig" <rosenzl@o...>

Subject: [access_asp] Re: This is a second request for AOL problem





: Z, thanks for getting back to me. I use IE 6.0 and have no problems. I

: have Netscape and have no problems. I gave a demo at a doctor's office and

: the Doctor prefers AOL. He said 25 mIllion people use it. I know it

: stinks. The Doctor had IE, but said it's not actived. I told him, all you

: have to do is install it. He didn't want to bother.

:

: Anyway, what he did was dialed in to AOL. Then once on the inernet, we

: entered my domain in the address bar. Once we were connected, we got into

: my application ok. When we got to the authentication screen and enter an

: email address and password for me (admin), all wa still ok. The problem

: arose after we disconnected from AOL and then dialed in again. Even though

: I signed on with a different email and password, the previous session was

: still active.

:

: I had a friend try this on a different PC with AOL, but this time I had

: them logon as a non-admin. When they disconnected AOL and then

: reconnected, they were able to get into the application, simply by

: clicking the submit button. Bottom line is that session was still active.

:

: I cannot make everyone change to IE or Netscape. Is there a simple way to

: make the session end, without shutting down or restarting the PC?

:

: This could be a very dangerous security breach.  You log off, someone else

: logs on and they are still in your active session, even though they

: entered a new email address and password.

:

: I would think there are many web developers that use the Global.asa for

: session variables, who also connect to AOL. I hope I'm wrong.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Ken, I think you were missing my point. There is no bug in my application. 

Everything works fine with IE and Netscape. The problem is when someone 

connects/dials into AOL and uses AOL as their browser. Simply put, when 

you disconnect from the AOL browser and then reconnect again. The prior 

session is still active. The prior session is related to the Global.asa 

and internally the Abandon.Session should occur. It apparently does not 

when using the AOL browser. I use the Session_Onstart. This occurred with 

2 unrelated AOL users. 



There are many professionals like Doctors, attorneys and accountants that 

do not want to use IE or Netscape. In my opinion, they are crazy. My 

question is:  Is there a way to unconditionally resolve the session 

problem with AOL? I can immagine that there must be tons of users of AOL 

that go through the authentication, using the global.asa. I have read that 

many reccommend that AOL users dial in and then use IE as Browser, but I 

can't force others to do so.



Larry  



> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> : This could be a very dangerous security breach.  You log off, someone 

else

> : logs on and they are still in your active session, even though they

> : entered a new email address and password.

> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> 

> This sounds like a bug in your application.

> 

> How are you maintaining session state? Using the built-in ASP session

> object? Have you *ended* the session on the server? If so, then even if 

the

> browser still returns an ASPSessionID cookie, the server wont have a 

record

> of this session anymore, and should redirect the user back to the login

> page.

> 

> Alternatively, it could be a caching issue. http://webmaster.aol.com has

> information on the caching mechanisms used by AOL to cache webpages. 

Perhaps

> you need to do more to prevent the pages being caught up in the AOL 

caching

> system:

> a) set appropriate HTTP headers:

> b) add a cache-buster to each page (eg append an ?ID=<some large random

> number or date/time> to each page)

> 

> Cheers

> Ken

> 

> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> From: "Larry Rosenzweig" <rosenzl@o...>

> Subject: [access_asp] Re: This is a second request for AOL problem

> 

> 

> : Z, thanks for getting back to me. I use IE 6.0 and have no problems. I

> : have Netscape and have no problems. I gave a demo at a doctor's office 

and

> : the Doctor prefers AOL. He said 25 mIllion people use it. I know it

> : stinks. The Doctor had IE, but said it's not actived. I told him, all 

you

> : have to do is install it. He didn't want to bother.

> :

> : Anyway, what he did was dialed in to AOL. Then once on the inernet, we

> : entered my domain in the address bar. Once we were connected, we got 

into

> : my application ok. When we got to the authentication screen and enter 

an

> : email address and password for me (admin), all wa still ok. The problem

> : arose after we disconnected from AOL and then dialed in again. Even 

though

> : I signed on with a different email and password, the previous session 

was

> : still active.

> :

> : I had a friend try this on a different PC with AOL, but this time I had

> : them logon as a non-admin. When they disconnected AOL and then

> : reconnected, they were able to get into the application, simply by

> : clicking the submit button. Bottom line is that session was still 

active.

> :

> : I cannot make everyone change to IE or Netscape. Is there a simple way 

to

> : make the session end, without shutting down or restarting the PC?

> :

> : This could be a very dangerous security breach.  You log off, someone 

else

> : logs on and they are still in your active session, even though they

> : entered a new email address and password.

> :

> : I would think there are many web developers that use the Global.asa for

> : session variables, who also connect to AOL. I hope I'm wrong.

> 

> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From: "Larry Rosenzweig" <rosenzl@o...>

Subject: [access_asp] Re: This is a second request for AOL problem





: Ken, I think you were missing my point.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



No, I don't think I am.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

: There is no bug in my application.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



I think your application doesn't do enough to defeat the caching mechanisms

used by AOL. AOL works in a fundamentally different way to every other ISP

that I know of, in that they have vast proxy servers that handle user

requests. You are probably getting cached pages from AOL's proxies rather

than fresh pages from your server. Maybe I am missing your point, but based

on what you have written, this seems to be the most logical conclusion to

me.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

: Everything works fine with IE and Netscape. The problem is when someone

: connects/dials into AOL and uses AOL as their browser.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



I don't understand how the facts in the above sentence contradict my

original assertion.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

: Simply put, when you disconnect from the AOL browser and then

: reconnect again. The prior session is still active. The prior session is

: related to the Global.asa and internally the Abandon.Session should occur.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



a) What Abandon.Session? There is no such thing. Secondly, just because the

browser is closed doesn't mean that the *Session_OnEnd* event fires on the

server. The server doesn't know that you closed the browser. You need to

shorten the Session Timeout period so that you can better guess when someone

has closed their browser



b) DID YOU EVEN GO AND READ THE LINK I POSTED? It appears from the

statements above that you did not. Again, I state that it appears that the

user is being server a *cached* page by AOL's proxy servers. You need to do

more to defeat this caching.



Now, I think AOL's ISP model sucks. But millions of people are happy with

it. You need to get your application to work with the way that AOL's proxy

network does.



Cheers

Ken

Technically the session does not actually end when the IE or Netscape 

browser is closed.  The server does not know that the browser has closed, 

so it keeps the session alive on the server until the timeout is reached.



When you close IE or Netscape the temporary cookie that is used by the 

server to track the session is erased, so when you open the browser up 

again and go to the page a new session is created for you.



So, when you leave the application using IE or Netscape the session is 

still open, but you are no longer using it.  When you leave the 

application using the AOL browser the cookie is not immediately destroyed, 

and when you go back into the page using that browser the server uses the 

original session instead of creating a new one.



To fix this issue you have to manually kill the session or wait until the 

session times out before going back to the page.  To kill the session you 

run the following code:



Session.Abandon



a common way that I do this is to provide a logoff link.  For example you 

could have a logoff link in your page as:



<a href='home.asp?logoff=true'>logoff</a>



Then at the top of home.asp you could have the following code:



IF Request.QueryString("logoff") = "true" THEN

  Session.Abandon

  Response.Redirect "home.asp"

END IF



This would kill the session and then reload the page, thus creating a new 

session.  I hope this helps,



Raymond







> It appears that AOL does not clear session variables after you 

disconnect.

> I have an application that uses a global.asa for session variables. The 

> way it works with IE and Netscape is that when you set the 

Session.Timeout 

> = 10, the following will happen:

> 

> 1. If you are idle for 10 minutes, you get logged off.

> 2. If you close the browser for either IE or Netscape, it clears 

> everyhing, which is equiv to logging off(the session ends).

> 

> My problem is with AOL. What seems to be happening is that if one user 

> logs on and then disconnects from AOL, the next person to log on, still 

> has the session from the previous person logged on. Something is not 

being 

> cleared out. For Example, I logged on as admin, where I can see all 

> appointents. Then I disconnected AOL. When I re-connected and just 

clicked 

> the submit button with no logon info, it still brought up the info from 

> the admin. This does not occur in IE or Netscape. I would be prompted to 

> enter logon info.

> 

> Does anyone know why the session is still open after I disconnect and re-

> connect with AOL?  What can I do to make this work? I should not have to 

> clear cache and/or history, because I dont have to do this with IE and 

> Netscape.  HHHHEEELLLPPP!

> 

> Thanks,

> 

> Larry