jjw wrote on 31 aug 2006 in microsoft.public.inetserver.asp.general:
Evertjan. said:
Ray Costanzo [MVP] wrote on 29 aug 2006 in
microsoft.public.inetserver.asp.general:
The only feasible way to do this would be to kick everyone out by
restarting the app and killing all the sessions. Something else to
look into is storing the login status in a database instead of using
sessions.
Start each user page with:
if application("killAll") = "do" then session.abandon:response.end
kill.asp [only with password]:
application("killAll") = "do"
unkill.asp [when used after the session timeout time]:
application("killAll") = "notSo"
Would this work?
thanks for your reply. that would work, and I kinda thought of
something like that, but your way implements it a bit better. anyway,
the only bad part is I'd have to add it to each and every page, but
that's probably what I'll be doing.
There is a minor(!) problem with this:
If a user "refreshes" the session by calling a non-asp file,
like .jpg, .pdf, .html, repeatedly, I suppose that session could
be left intact when running unkill after > 20 minutes.
If this flaw bothers you,
perhaps you would have to use an incrementing "killLevel" number:
Start each user page with:
if session("killall") = "" then
session("killall") = application("killAll")
end if
if application("killAll") > session("killall") then
session.abandon
response.end
end if
This will set to self-kill all sessions
that are "old" when you increase this killall level with:
kill.asp [only with password]:
application("killAll") = application("killAll") + 1
and in global.asa application onstart:
application("killall") = 0
[no unkill in this scheme]
