That has to do with how your application handles cookies. I don't know about forcing the master session to expire, I've had a lot of problems specifically expiring sessions in C#. Manipulating the master session has been highly unreliable, so here's how "I" do it.
When I create a session, I don't want to store any user information, the more user info you stick there, the more information is stuffed into the cookie decreasing application performance and storing valuable information (valuable enough that you wanted to have it in the session) in a terribly insecure location. Therefore, I store only custom id number (and a checksum) in the master session. This effectively creates my own custom session using the master session as machinery to make it work. Then I can work sessions, like this.
I. When someone logs in I store a new session id in my custom session and in the user record of the database. I also add my expiration time to the current timestamp and store the expiration time in the user record as well.
II. When someone arrives at a page, I check to see if they have my custom session id stored in the session. If they don't they're not logged in. if they do, I hit the database and find the user record for that session id; this lets me identify the user. I can simultaneously pull any user information I need to customize the page at the same time, the user data are the fields I request in the SELECT statement and the session id is the WHERE clause that specifies the record I want.
One of the items I always grab is the expiration timestamp. I compare that to the current time which allows me to manually expire the session and I also evaluate the checksum to determine if someone has manipulated the session data. If either is not kosher I execute an UPDATE that erases the session id and resets the timestamp to wipe out that invalid session. If everything is OK, then I have a valid user who is logged in and I execute the application logic to customize the page for them.
III. If someone logs out, I execute the same UPDATE statement to invalidate the session.
__________________
-------------------------
Whatever you can do or dream you can, begin it. Boldness has genius, power and magic in it. Begin it now.
-Johann von Goethe
When Two Hearts Race... Both Win.
-Dove Chocolate Wrapper
Chroniclemaster1, Founder of www.EarthChronicle.com
A Growing History of our Planet, by our Planet, for our Planet.
|
