|
ASP.NET 1.x and 2.0 Application Design Application design with ASP.NET 1.0, 1.1, and 2.0. |
Welcome to the p2p.wrox.com Forums.
You are currently viewing the ASP.NET 1.x and 2.0 Application Design section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
|
|
|
April 21st, 2004, 02:16 PM
|
Authorized User
|
|
Join Date: Aug 2003
Posts: 45
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
Session management
Hi,
I want to redirect users to a certain page on session timeout in my ASP.NET(C# codebehind app). The way I have done it before in other apps doesn't seem to be working anymore. Here is what I'm doing:
I set a session variable on session_start and reset it on session_end events in my global.asax.cs. On every page in the page_load event, I check for that variable, and if it is not found, then I know session timed out.
protected void Session_Start(Object sender, EventArgs e)
{ Session.Add("SessionOK", "OK");
}
protected void Session_End(Object sender, EventArgs e)
{ Session.Contents.Remove("SessionOK");
}
in page_load:
try{
if(!Session.Contents["SessionOK"].ToString().Equals("OK"))
response.redirect(....);
}
catch{ response.redirect(....);
}
Here is the problem: After the session timeout, if user clicks on a control in any aspx page, the session_start is fired again!! (which reinitializes my sessionOK flag, and page_load cannot detect that timeout happened). Isn't session_start suppose to fire only once per client, at the beginning of the session?
I'm using windows integrated security and impersonation to get access to a remote file.
Will appreciate any help.
|
April 21st, 2004, 02:29 PM
|
|
Friend of Wrox
|
|
Join Date: Aug 2003
Posts: 5,407
Thanks: 0
Thanked 16 Times in 16 Posts
|
|
Quote:
quote:Originally posted by texasraven
Isn't session_start suppose to fire only once per client, at the beginning of the session?
|
Yes it is, and it does. If the client's session is expired, then the first thing that happens is that ASP.net will start a new session.
Think about the code that you wrote. You are removing an item from a session when it expires and putting an item in when it's created. How can you possibly ever see that item NOT in a session? That's like writing a program that sends you an email to tell you the email server is not working.
|
April 21st, 2004, 02:32 PM
|
Authorized User
|
|
Join Date: Aug 2003
Posts: 45
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
Can you recommend a good way to check for timeout and then do a redirection?
Thanks
|
April 21st, 2004, 02:35 PM
|
|
Wrox Author
|
|
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
|
|
Yeah, and in addition to what Peter said, there is no need to remove stuff in Session_End. When the session ends, well, ... it ends, and all session variables will be destroyed.
I think the concept you're trying to apply is usually associated with a login page. Someone logs in at Login.aspx which sets the Session variable with the code Session.Add("SessionOK", "OK").
This way, the session variable *only* has a value after a valid login. When it has times out and the user tries to access the page again, the variable will not be created and you can redirect your user to Login.aspx for example.
HtH,
Imar
---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
While typing this post, I was listening to: Allegretto non troppo - Allegro molto vivace by Mendelssohn & Bruch (Track 3 from the album: Violinkonzerte - Hoelscher)
|
April 21st, 2004, 02:41 PM
|
|
Friend of Wrox
|
|
Join Date: Aug 2003
Posts: 5,407
Thanks: 0
Thanked 16 Times in 16 Posts
|
|
And to expand on what Imar is describing, perhaps your intent is for some kind of "start page" in the application. You could apply the login concept to this as well. The only difference being that the start page sets the value automatically (without a login process). This way, you can check the session for the OK status, and if it's not there, you redirect to the start page, which sets the OK status. Then any additional page hit skips over the redirection to the start page.
Because of the nature of the session and the statelessness of web applications, it's very hard to tell when a user's session is timed out. A timed out session looks no different than a new one because a timed out session is gone when the returning user hits it. One alternative is to combine a session based status with a cookie based status. The cookie based status will be persisted thruout the client's browser session (as long as the browser is open). Then you could look and test for the existance of the cookie but the absence of the session status. This would indicate it's a user who HAS been here, but has been timed out.
|
April 21st, 2004, 02:48 PM
|
Authorized User
|
|
Join Date: Aug 2003
Posts: 45
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
Sounds good. I understand the concept Imar described w/regard to login page. However, since I'm doing windows integrated security, I don't have a login page per se. I guess I could implement similar logic in the start up page. Does that sound like a malpractice?
Thanks
|
April 21st, 2004, 04:42 PM
|
|
Friend of Wrox
|
|
Join Date: Aug 2003
Posts: 5,407
Thanks: 0
Thanked 16 Times in 16 Posts
|
|
Only if this is a medical application. ;)
The combination of a cookie and session check should do what you need in order to determine if the hit is a new user or an expired session user.
|
|
|