Wrox Programmer Forums
| Search | Today's Posts | Mark Forums Read
ASP.NET 1.x and 2.0 Application Design Application design with ASP.NET 1.0, 1.1, and 2.0.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the ASP.NET 1.x and 2.0 Application Design section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old April 21st, 2004, 02:16 PM
Authorized User
 
Join Date: Aug 2003
Location: , , .
Posts: 45
Thanks: 0
Thanked 0 Times in 0 Posts
Default Session management

Hi,

I want to redirect users to a certain page on session timeout in my ASP.NET(C# codebehind app). The way I have done it before in other apps doesn't seem to be working anymore. Here is what I'm doing:

I set a session variable on session_start and reset it on session_end events in my global.asax.cs. On every page in the page_load event, I check for that variable, and if it is not found, then I know session timed out.

protected void Session_Start(Object sender, EventArgs e)
{ Session.Add("SessionOK", "OK");
}

protected void Session_End(Object sender, EventArgs e)
{ Session.Contents.Remove("SessionOK");
}

in page_load:

try{
 if(!Session.Contents["SessionOK"].ToString().Equals("OK"))
  response.redirect(....);
}
catch{ response.redirect(....);
}

Here is the problem: After the session timeout, if user clicks on a control in any aspx page, the session_start is fired again!! (which reinitializes my sessionOK flag, and page_load cannot detect that timeout happened). Isn't session_start suppose to fire only once per client, at the beginning of the session?

I'm using windows integrated security and impersonation to get access to a remote file.

Will appreciate any help.
 
Old April 21st, 2004, 02:29 PM
planoie's Avatar
Friend of Wrox
Points: 16,481, Level: 55
Points: 16,481, Level: 55 Points: 16,481, Level: 55 Points: 16,481, Level: 55
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Aug 2003
Location: Clifton Park, New York, USA.
Posts: 5,407
Thanks: 0
Thanked 16 Times in 16 Posts
Default

Quote:
quote:Originally posted by texasraven
Isn't session_start suppose to fire only once per client, at the beginning of the session?
Yes it is, and it does. If the client's session is expired, then the first thing that happens is that ASP.net will start a new session.

Think about the code that you wrote. You are removing an item from a session when it expires and putting an item in when it's created. How can you possibly ever see that item NOT in a session? That's like writing a program that sends you an email to tell you the email server is not working.
 
Old April 21st, 2004, 02:32 PM
Authorized User
 
Join Date: Aug 2003
Location: , , .
Posts: 45
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Can you recommend a good way to check for timeout and then do a redirection?

Thanks

 
Old April 21st, 2004, 02:35 PM
Imar's Avatar
Wrox Author
Points: 70,322, Level: 100
Points: 70,322, Level: 100 Points: 70,322, Level: 100 Points: 70,322, Level: 100
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
Default

Yeah, and in addition to what Peter said, there is no need to remove stuff in Session_End. When the session ends, well, ... it ends, and all session variables will be destroyed.

I think the concept you're trying to apply is usually associated with a login page. Someone logs in at Login.aspx which sets the Session variable with the code Session.Add("SessionOK", "OK").

This way, the session variable *only* has a value after a valid login. When it has times out and the user tries to access the page again, the variable will not be created and you can redirect your user to Login.aspx for example.

HtH,

Imar




---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
While typing this post, I was listening to: Allegretto non troppo - Allegro molto vivace by Mendelssohn & Bruch (Track 3 from the album: Violinkonzerte - Hoelscher)

 
Old April 21st, 2004, 02:41 PM
planoie's Avatar
Friend of Wrox
Points: 16,481, Level: 55
Points: 16,481, Level: 55 Points: 16,481, Level: 55 Points: 16,481, Level: 55
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Aug 2003
Location: Clifton Park, New York, USA.
Posts: 5,407
Thanks: 0
Thanked 16 Times in 16 Posts
Default

And to expand on what Imar is describing, perhaps your intent is for some kind of "start page" in the application. You could apply the login concept to this as well. The only difference being that the start page sets the value automatically (without a login process). This way, you can check the session for the OK status, and if it's not there, you redirect to the start page, which sets the OK status. Then any additional page hit skips over the redirection to the start page.

Because of the nature of the session and the statelessness of web applications, it's very hard to tell when a user's session is timed out. A timed out session looks no different than a new one because a timed out session is gone when the returning user hits it. One alternative is to combine a session based status with a cookie based status. The cookie based status will be persisted thruout the client's browser session (as long as the browser is open). Then you could look and test for the existance of the cookie but the absence of the session status. This would indicate it's a user who HAS been here, but has been timed out.
 
Old April 21st, 2004, 02:48 PM
Authorized User
 
Join Date: Aug 2003
Location: , , .
Posts: 45
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Sounds good. I understand the concept Imar described w/regard to login page. However, since I'm doing windows integrated security, I don't have a login page per se. I guess I could implement similar logic in the start up page. Does that sound like a malpractice?

Thanks

 
Old April 21st, 2004, 04:42 PM
planoie's Avatar
Friend of Wrox
Points: 16,481, Level: 55
Points: 16,481, Level: 55 Points: 16,481, Level: 55 Points: 16,481, Level: 55
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Aug 2003
Location: Clifton Park, New York, USA.
Posts: 5,407
Thanks: 0
Thanked 16 Times in 16 Posts
Default

Only if this is a medical application. ;)

The combination of a cookie and session check should do what you need in order to determine if the hit is a new user or an expired session user.




Similar Threads
Thread Thread Starter Forum Replies Last Post
Session management Gemz .NET Framework 2.0 1 October 26th, 2008 04:56 AM
Session/Timeout management KalEl Apache Tomcat 1 April 8th, 2006 04:26 AM
Session Management yohandh General .NET 2 December 12th, 2005 10:45 PM
session management G_Zola General .NET 2 June 12th, 2005 07:58 PM
Session Management ManoYaka ASP.NET 1.0 and 1.1 Professional 1 January 23rd, 2004 07:02 AM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.