What actions cause a Coldfusion session to be extended? - session

When you set up a ColdFusion session inside of a application.cfm or application.cfc file you can define a sessionTimeout like:
<cfapplication name = "appname"
sessionTimeout = #CreateTimeSpan(0, 0, 30, 0)# <!--- 30min timeout --->
sessionManagement = "yes">
I think that a ColdFusion session is 'extended' or 'renewed' every time:
The user navigates to a new ColdFusion Template (a .cfm file)
The user refreshes a Coldfusion Template (a .cfm file)
The user accesses a ColdFusion Component (a .cfc file) in any way, including via ajax calls that run a cffunction in the .cfc file.
In other words, if a user performs any of the actions above (assuming the sessionTimeout is 30 minutes like in the above example) the session will expire 30 minutes from when the action was performed--essentially 'extending' the life of the session to the value of sessionTimeout each time the user performs one of those actions.
Does this understanding sound correct? Are there any actions that 'extend' a ColdFusion session that I'm missing? Do the ones I listed actually behave how I think they behave and 'extend' the session?

Something similar was asked here: Can we renew session in Coldfusion?
What Alex says is true. There is a way of maintaining a session without cookies if you look at the docs. Check out the section Using client and session variables without cookies.
The only other way I can think of extending a session without user intervention would be if you can find the session through SessionTracker. Here's a nice post about it: Advanced ColdFusion Session Management.
In fact, in the comments, it says that if you access the sessions through the built-in java methods, you might extend them:
You might want to note that as soon as you access any sessions through
those methods, you'll update the "lastAccessed" timestamp.

Related

Why Does Session Abandon Not Work?

I have following code
cx5_login.asp
Session("Login") = "demo"
cx5_logout.asp :
Session("Login") = ""
Session.Abandon
response.redirect "c5x_login.asp?C5xName=Login"
I want to know if Session.Abandon will remove Session("Login")?
Currenly, I am check for Session("Login") to determinate if the user is login or not.
But it doesn't work.
Scenario:
User login
User logout
I print value from Session("Login") and it's still have value.
I have called Session.Abandon but why Session("Login") still have value?
Is it related with ASPSESSIONID cookie?
I try to remove that cookie manually and it's work.
Any explanation for this?
What Neel say's isn't wrong but it isn't right either, the problem is and constantly tends to be either question askers or people answering confusing Classic ASP with ASP.Net.
If your question is Classic ASP related then when talking about the Session object you need to consider the following.
Session.Abandon() should be used to completely dispose a session including the Session.SessionID.
But there is a cavert;
Quote from the MSDN Library - Session.Abandon()
"When the Abandon method is called, the current Session object is queued for deletion but is not actually deleted until all of the script commands on the current page have been processed. This means that you can access variables stored in the Session object on the same page as the call to the Abandon method but not in any subsequent Web pages."
This means that within the context of the current page your Session is still available, it isn't until you move on to another page that the Session object is actually disposed.
If you don't redirect after your log out page your Session will still be accessible but rest assured that any attempt to access it after leaving that page will fail.
As a test don't automatically redirect after logout but give the users a link to press and see if you get the same behaviour.

Longterm usage & conflict of Session / TempData

I've an MVC3 web app which uses the default "in process" session. I've the PRG pattern in place - that is while postback if my modelstate is invalid I store the model in TempData and redirect to the original get action. In the get action I fetch the model data (if it exists) and send to the view. I believe this is one of the basic aspects of MVC.
I've learned that TempData in background is a session variable which
is used in the PRG transition. What I need to know is whether it is
possible to have a conflict or cross refrencing - if I use something
like TempData["model"] in two pages and access the pages
simultaneously. Would that overwrite the common data in
TempData["model"] or is it safe if I use the same tempdata names in
two different pages.
And does it conflict with Session["model"] kind of data? I'm facing some unexpected session data corruption - possibly due to my internal code that resets the session data or something else. Is it possible that session data can corrupt partially? I mean Session["data1"] is ok but Session["data2"] is gone?
My users often use the web app for a long duration causing session timeout. I tried for the ASP.Net session state service for session but that caused performance issues because I store some heavy objects (via serialization) in session. So finally I was back to the original default in proces mode.
Pls share if you've had any similar experiences.
TempData by default uses SessionState and access to SessionState is by default exclusive. So, if you do two concurrent reuquests, one will have to wait for the other to release the SessionState lock.
TempData does not interfere with using SessionState directly.
As SessionState by default uses in-proc, it can be invalidated almost anytime.
You might want to have a look at http://brockallen.com/2012/06/11/cookie-based-tempdata-provider/

When copy the url from one browser to another browser my session data are not coming in asp.net MVC3

When i copy the URL from one browser to paste it in another browser my session data not retrieved it shows "Object reference not set to an instance of an object".
(Please note - this answer assumes you are not already using cookieless sessions)
The way sessions work in ASP.NET is that when you first access a site, a cookie-file is placed in your browsers cookie-store. The cookie contains a session ID, so the next time you access that site from that browser the ID is passed to the web-application and it knows which session-state to load.
However, each browser implements it's own cookie-store, so switching browsers means the site cannot determine your session ID.
One way to get around this is to use cookieless sessions. However, these have a number of issues relating to usability and security, so think long and hard before deciding they are for you.
Another option is to tie together your authorization and session systems. However, this is not generally recommended either.
You will not be able to access session values across multiple browsers.
Also, you should check if the value exists in Session to avoid Server Error.
if(Session["Key"] != null)
{
//Write your code here
}
else
{
//Alternative code (redirection code)
}

Is there a better way than using session variables to access an object anywhere in an application?

I am working with ASP.NET MVC 3.0. I have a page with an action link that makes appear a window in which you can adjust a certain value. Once the new value is sent to the database, an extern application deals with the value and send the result back to that database. I want the action link to be disabled while the extern application is doing her job. The page I am working on is refreshing automatically with some AJAX calls. The date when the extern application finished her last adjustment on a value is kept in the database. I first thought I could use session variables to store the date time of when the action link was pressed (because I need it through all the application) and then enable the action link when the adjust time is greater than the time when the action link was pressed, but I heard it was bad practices. Does someone have another solution?
Since you are already using the database - query the database to check the current status. If your application is restarted - a session value would be lost unless you are using a state server (ie sql server) to manage state- unless you don't care if its lost upon restart. You can use session and save yourself database calls - but the database is a bit cleaner and doesn't suffer from the same issue. If you do end up using the session, don't spread that session value all over your code, simply have a single method that reads or sets it (same with the db solution as well)

Session not ending in ASP.NET

I have created an asp.net application in which i have used global.asax. I have created a static class which stores user information such as LoginID, CompanyID etc using properties. A property IsLoggedIn indicates whether user logged in or not. I have created a method ResetAll() within the same class to reset those properties.
The problem is that if the user directly closes the browser window without logging off the property values are not resetted. Therefore if the user opens a new browser window, the user is logged in automatically. I have also called ResetAll() within from Session_End() but still it is not working. Could someone explain me whats wrong with that or simply how to reset the property values if the user directly closes the browser window.
If I am reading this correctly and you have a class with static members, then you are going to run into issues. With an ASP.NET web app, static members are static for the entire AppDomain, not just for an individual user, so the values would be the same no matter where the request has come from.
It sounds like what you really need to think about doing is storing an instance of the user information class in the session. That way the information is specific to that particular user. Also, that should solve your issue as the session cookie is normally removed when the browser window is closed, forcing a new session when the browser window is re-opened.
So something like:
Dim thisUser As New UserInformation()
thisUser.LoginID = someValue
Session("UserInformation") = thisUser
You cannot make the class static. Worse than keeping the user logged in across sessions is the fact you cannot have multiple users in your system. They will all share the same login information. You should read about static.
What you want is to store an instance of that class in the session and access it whenever you need.

Resources