Session or not

M

Morten Snedker

1,000 users log in for entering data.

Which is the best way to clean up after each user? How do I end a
session properly when an explicit logout is not an option?

If the user just closes the browser will my IIS clean up
automatically, or ought I to do something explicit?

If no Session Timeout is set, is the session then infinite?

As you may see, I'm somewhat confused. :)

Regards /Snedker
 
A

Aidy

Which is the best way to clean up after each user? How do I end a
session properly when an explicit logout is not an option?
Click to expand...

If you want code to run then add it to the Session_End event in the
global.asax file.
If the user just closes the browser will my IIS clean up
automatically, or ought I to do something explicit?
Click to expand...

After the session timeout, IIS will destroy the session for you and call the
Session_End event.
If no Session Timeout is set, is the session then infinite?
Click to expand...

No, there is always a timeout. Think it defaults to 20 mins if you don't
change it.
 
P

Peter Bradley

Yep. That about sums it up.

Just a silly point for completion. You can set the Session never to time
out: but that would be a bit daft in my view.

You might also want to ensure that the Session Timeout and any Authorisation
Cookie timeout are set to the same value. By default, one of them is 20
mins, and the other is 10 IIRC, which doesn't make a lot of sense to me.

HTH

Peter
 
M

Mark Rae

If the user just closes the browser will my IIS clean up
automatically, or ought I to do something explicit?
Click to expand...

Just to add to what Aidy and Peter have said, your webserver and all its
running software (IIS, ASP.NET etc) has no way of knowing if the user has
closed their browser, or has left your site...

You can try using JavaScript in the window.onunload event of your webpages,
but this is highly unreliable...
 
B

bruce barker

its common to want sessions to last days (think of a shopping cart or
wish lists). but authenication should timeout quicker.

note: only the inproc session manager fires the Session_End, which
should not be used for large production sites unless it just used for
caching (can recreate data if session lost).

-- bruce (sqlwork.com)
 
P

Peter Bradley

Ah yes. Good point. It just shows how ones mind can run on rails and fail
to see what's on the other tracks.

OK. That's enough for that metaphor, but thanks again for broadening my
horizons. Nice one.


Peter
 
P

Peter Bradley

Yes. The most reliable way, of course, if you're using Forms
Authentication, is to use FormsAuthentication.SignOut.

Won't work if someone just closes their browser, of course, but it should
be used anywhere there's any kind of event that can be handled - even if
it's only Session_End.

:)

Peter
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Am I admin or not? 0
Problem with a login script, SESSION user rights and put this together so it works with the other pages and MySQL. Code examples. 2
Session Timeout Detection and Continue Session if Needed - Best Method ? 2
Use Session or not? 1
ASP.NET Session does not expire 0
infinite session timeout 8
Session Problems 2
Session Timeout Security Risk? 2

Members online

Total: 284 (members: 2, guests: 282)
Robots: 546

Forum statistics

Threads
474,252
Messages
2,571,267
Members
47,907
Latest member
Ahmed70S0

Latest Threads

Top