Handle Session Timeout And Lost MemberID

[Edward Rothwell]

I have a web site where once a user has logged on I store
their MemberID in a global variable in the global.asa file.

Then in other pages I find out which member I am dealing
with by looking at this variable, ie:

<%
Private lgMemberID

lgMemberID = Session.Contents("MemberID")

%>

I then use this variable to query a database...

Sub WriteMessages()
Dim strFirstName
Dim strSurname
Dim bPhone
Dim bCard
Dim bEMail
Dim strSQL
Dim rs

strSQL = "{CALL qGetMessages (" & lgMemberID & ")}"

Set rs = Server.CreateObject("ADODB.Recordset")
rs.Open strSQL, conn, 3, 3

Do Until rs.EOF
strFirstName = rs("ContactFirstName")
strSurname = rs("ContactSurname")
bPhone = rs("Phone")
bCard = rs("Card")
bEMail = rs("EMail")

With Response
.Write "<TR>" & vbcr
.Write "<TD width=160>" & strFirstName & " " & strSurname &
"</TD>" & vbcr
.Write "<TD align='center' width=100>"
If bPhone Then .Write "<IMG SRC='images/yes.gif' ALT='' BORDER=0>"
.Write "</TD>" & vbcr
.Write "<TD align='center' width=100>"
If bCard Then .Write "<IMG SRC='images/yes.gif' ALT='' BORDER=0>"
.Write "</TD>" & vbcr
.Write "<TD align='center' width=100>"
If bEMail Then .Write "<IMG SRC='images/yes.gif' ALT='' BORDER=0>"
.Write "</TD>" & vbcr
.Write "<TD width=23><A HREF='http://?'>Edit</A></TD>" & vbcr
.Write "<TD width=23><A HREF='http://?'>Delete</A></TD>" & vbcr
.Write "</TR>" & vbcr
End With
rs.MoveNext
Loop

rs.Close
Set rs = Nothing

End Sub


I want to know how to professionally handle the 'time-out' of the
session.
At the moment when the app. times out Session.Contents("MemberID")
equals 0.
Which means I get an error:

"ADODB.Field (0x800A0BCD)
Either BOF or EOF is True, or the current record has been deleted.
Requested operation requires a current record."

I don't really want to handle the BOF/EOF error directly as this is just
a symptom of a different problem (the time out).

Would I have to force the user to log in again?
Increase the time out?
How do other people do this??

I also don't see how appropriate it would be to increase the timeout to,
say 2 hours. When the site generates large amounts of traffic then
keeping 100s of sessions live for so long is going to eat too many
resources.

Do other people use cookies to store the memberID instead of a session
variable?
If so - what do they do about people who have cookies blocked?

 

[Egbert Nierop \(MVP for IIS\)]

I have a web site where once a user has logged on I store
their MemberID in a global variable in the global.asa file.

Then in other pages I find out which member I am dealing
with by looking at this variable, ie:

If IsEmpty(lgMemberId) Then
.... timeout
Else

Increasing the timeout might fix this but if you deal with lots of users,
you should avoid to waste lots of resources.

 

[Evertjan.]

Edward Rothwell wrote on 06 dec 2004 in
microsoft.public.inetserver.asp.general:

I have a web site where once a user has logged on I store
their MemberID in a global variable in the global.asa file.

Impossible.

Global.asa only runs on the first contact after server reset or power up.

Global.asa is done after that and all the variables die with it.

When a user logs in, Global.asa does not run again.

But when a user starts a new session, the session-onstart sub runs, and
even there, there are no persistent variables in a sub.

Perhaps you mean a application variable or a session variable?
These do not need Global.asa to run.

Evertjan.

 

[Egbert Nierop \(MVP for IIS\)]

Edward Rothwell wrote on 06 dec 2004 in
microsoft.public.inetserver.asp.general:


Impossible.

Global.asa only runs on the first contact after server reset or power up.

I think he, of course, uses Session_onStart which is the solution, but
you -never- get this event, indeed, after a login.asp page for instance.

 

[Patrice]

I don't see how you could do this in global.asa ?

IMO it could be rather done in the login page. Then when the timeout
happens, the session is no more available and the user is redirected to the
login page allowing to repopulate its member id once logged again...

Patrice

--

 

[Edward Rothwell]

Yes sorry for confusing people.
I meant a Session variable.
(I initiate it/declare it in the Session_OnStart which happens to be
declared in my global.asa)

Sub Session_OnStart
With Session
.Contents("MemberID") = 0
End With
End Sub

MemberID only gets a value when the user actually logs in.

I think Egbert perhaps has an answer.

Just wondered how others did it...

 

[Evertjan.]

Edward Rothwell wrote on 06 dec 2004 in
microsoft.public.inetserver.asp.general:

Sub Session_OnStart
With Session
.Contents("MemberID") = 0
End With
End Sub

What is the difference with:

Sub Session_OnStart
Session("MemberID") = 0
End Sub

?

===========================

This Session_OnStart use is not needed anyway.

All nonexisting seeion variables return an empty string.
Just use before you first need to read that variable:

If Session("MemberID") = "" Then Session("MemberID") = 0

 

[Sven Pernils]

You might want to create a temporary cookie on the users machine, with some
userCode, and check the cookie on every page user access. With this, you can
even have a track of the user moving around your site.
Yes it involves som coding, but in the long run it pays off.

Sven

 

[Egbert Nierop \(MVP for IIS\)]

Edward Rothwell wrote on 06 dec 2004 in
microsoft.public.inetserver.asp.general:


What is the difference with:

Session.Contents("MemberID") or Session("Contents") is the same... but
that's not the point.
He was setting the variable in global.asa and not in the login.asp page.

 

[Evertjan.]

Egbert Nierop (MVP for IIS) wrote on 08 dec 2004 in
microsoft.public.inetserver.asp.general:

Session.Contents("MemberID") or Session("Contents") is the same... but
that's not the point.

Nuts, Egbert, that was my point, perhaps not yours. Why use 5 lines of
code instead of three.

He was setting the variable in global.asa

No, Global.asa does only run with the first session after server(re)set.
So his Global.asa does not set the session variable.

and not in the login.asp page.

True, Session_OnStart runs at the first page of a new session, which
could be another page than login.asp

So in login.asp:

If Session("MemberID") = "" Then Session("MemberID") = 0
If request.form("MiD") <> "" Then
' validate numeric MiD and password here, else MiD=0
Session("MemberID") = MiD
end If
If Session("MemberID") <> 0 Then response.redirect "loggedin.asp"

%><form .... action='login.asp' ...

 

[Edward Rothwell]

OK Evertjan.

So I don't need to use Session_OnStart to initiate my session variables?

(BTW I had other variables between the With statement...just showed the
MemberID one for brevity!!)

So couldn't I just say:

Private lgMemberID

lgMemberID = ValidateUser(strUserName, stUserPassword)
If lgMemberID <> 0 Then
Session("MemberID") = lgMemberID
End If

Can I do this?
Do I not have to explicitly declare the Session variable?
If Session(MemberID) doesn't already exist (if never refered to before)
will the above code just create it and use it?

 

[Bob Barrows [MVP]]

OK Evertjan.

So I don't need to use Session_OnStart to initiate my session
variables?

(BTW I had other variables between the With statement...just showed
the MemberID one for brevity!!)

So couldn't I just say:

Private lgMemberID

lgMemberID = ValidateUser(strUserName, stUserPassword)
If lgMemberID <> 0 Then
Session("MemberID") = lgMemberID
End If

Can I do this? Yes

Do I not have to explicitly declare the Session variable? No

If Session(MemberID) doesn't already exist (if never refered to
before) will the above code just create it and use it?

Yes

Bob Barrows

 

[Evertjan.]

Edward Rothwell wrote on 08 dec 2004 in
microsoft.public.inetserver.asp.general:

Can I do this?

Better tried than asked.

Do I not have to explicitly declare the Session variable?

No, all nonexisting session variables return an empty string on reading

All session variables can be set or value changed by the same code

If Session(MemberID) doesn't already exist (if never refered to before)
will the above code just create it and use it?

Yes, but don't take my word for it, try!