Why Does Session Abandon Not Work? - session

I have following code
cx5_login.asp
Session("Login") = "demo"
cx5_logout.asp :
Session("Login") = ""
Session.Abandon
response.redirect "c5x_login.asp?C5xName=Login"
I want to know if Session.Abandon will remove Session("Login")?
Currenly, I am check for Session("Login") to determinate if the user is login or not.
But it doesn't work.
Scenario:
User login
User logout
I print value from Session("Login") and it's still have value.
I have called Session.Abandon but why Session("Login") still have value?
Is it related with ASPSESSIONID cookie?
I try to remove that cookie manually and it's work.
Any explanation for this?

What Neel say's isn't wrong but it isn't right either, the problem is and constantly tends to be either question askers or people answering confusing Classic ASP with ASP.Net.
If your question is Classic ASP related then when talking about the Session object you need to consider the following.
Session.Abandon() should be used to completely dispose a session including the Session.SessionID.
But there is a cavert;
Quote from the MSDN Library - Session.Abandon()
"When the Abandon method is called, the current Session object is queued for deletion but is not actually deleted until all of the script commands on the current page have been processed. This means that you can access variables stored in the Session object on the same page as the call to the Abandon method but not in any subsequent Web pages."
This means that within the context of the current page your Session is still available, it isn't until you move on to another page that the Session object is actually disposed.
If you don't redirect after your log out page your Session will still be accessible but rest assured that any attempt to access it after leaving that page will fail.
As a test don't automatically redirect after logout but give the users a link to press and see if you get the same behaviour.

Related

What actions cause a Coldfusion session to be extended?

When you set up a ColdFusion session inside of a application.cfm or application.cfc file you can define a sessionTimeout like:
<cfapplication name = "appname"
sessionTimeout = #CreateTimeSpan(0, 0, 30, 0)# <!--- 30min timeout --->
sessionManagement = "yes">
I think that a ColdFusion session is 'extended' or 'renewed' every time:
The user navigates to a new ColdFusion Template (a .cfm file)
The user refreshes a Coldfusion Template (a .cfm file)
The user accesses a ColdFusion Component (a .cfc file) in any way, including via ajax calls that run a cffunction in the .cfc file.
In other words, if a user performs any of the actions above (assuming the sessionTimeout is 30 minutes like in the above example) the session will expire 30 minutes from when the action was performed--essentially 'extending' the life of the session to the value of sessionTimeout each time the user performs one of those actions.
Does this understanding sound correct? Are there any actions that 'extend' a ColdFusion session that I'm missing? Do the ones I listed actually behave how I think they behave and 'extend' the session?
Something similar was asked here: Can we renew session in Coldfusion?
What Alex says is true. There is a way of maintaining a session without cookies if you look at the docs. Check out the section Using client and session variables without cookies.
The only other way I can think of extending a session without user intervention would be if you can find the session through SessionTracker. Here's a nice post about it: Advanced ColdFusion Session Management.
In fact, in the comments, it says that if you access the sessions through the built-in java methods, you might extend them:
You might want to note that as soon as you access any sessions through
those methods, you'll update the "lastAccessed" timestamp.

When copy the url from one browser to another browser my session data are not coming in asp.net MVC3

When i copy the URL from one browser to paste it in another browser my session data not retrieved it shows "Object reference not set to an instance of an object".
(Please note - this answer assumes you are not already using cookieless sessions)
The way sessions work in ASP.NET is that when you first access a site, a cookie-file is placed in your browsers cookie-store. The cookie contains a session ID, so the next time you access that site from that browser the ID is passed to the web-application and it knows which session-state to load.
However, each browser implements it's own cookie-store, so switching browsers means the site cannot determine your session ID.
One way to get around this is to use cookieless sessions. However, these have a number of issues relating to usability and security, so think long and hard before deciding they are for you.
Another option is to tie together your authorization and session systems. However, this is not generally recommended either.
You will not be able to access session values across multiple browsers.
Also, you should check if the value exists in Session to avoid Server Error.
if(Session["Key"] != null)
{
//Write your code here
}
else
{
//Alternative code (redirection code)
}

Is there a better way than using session variables to access an object anywhere in an application?

I am working with ASP.NET MVC 3.0. I have a page with an action link that makes appear a window in which you can adjust a certain value. Once the new value is sent to the database, an extern application deals with the value and send the result back to that database. I want the action link to be disabled while the extern application is doing her job. The page I am working on is refreshing automatically with some AJAX calls. The date when the extern application finished her last adjustment on a value is kept in the database. I first thought I could use session variables to store the date time of when the action link was pressed (because I need it through all the application) and then enable the action link when the adjust time is greater than the time when the action link was pressed, but I heard it was bad practices. Does someone have another solution?
Since you are already using the database - query the database to check the current status. If your application is restarted - a session value would be lost unless you are using a state server (ie sql server) to manage state- unless you don't care if its lost upon restart. You can use session and save yourself database calls - but the database is a bit cleaner and doesn't suffer from the same issue. If you do end up using the session, don't spread that session value all over your code, simply have a single method that reads or sets it (same with the db solution as well)

In CakePHP 1.3 is there any advantage of using $this->Controller->Session over $this->Session in a component?

I'm using a modified version of Felix Geisendörfer's SimpleAuth/SimpleAcl components that I've combined into a single Component, Simple_Authable.
I changed his startup() function to initialize() to not clutter the beforeFilter function in my app_controller.
One of the things that this component does is check who the active user is and if that user can't be found it either looks him up based on the primary User.id or uses 'guest'. Either way, the component uses $this->Controller->Session->write() to save the active user or guest information.
I'm also using Felix's Authsome plugin instead of the default CakePHP Auth component.
When I'm logging in, the active user is guest, obviously.
After I've submitted the form, the active user is still guest because the component's initialize() function is firing before everything else. Then, the Authsome plugin comes into play and validates my user as "root" and also calls $this->SimpleAuthable->setActiveUser($id, true); to force SimpleAuthable to update the active user information it is storing via $this->Controller->Session; Then I am redirected and my simple Session information and DebugKit's Session tab reflect that I am indeed the root user.
However, when I try to navigate to an 'admin' page, let's say /admin/users/index, lo and behold SimpleAuthable thinks I'm still a 'guest' user because when it performs a $this->Controller->Session->read() call to the key holding my user id, it is getting an empty response, i.e., the data stored on the previous page didn't persist.
Maybe there is something funky happening between Authsome & SimpleAuthable, but things look pretty straightforward and to my mind, $this->Controller->Session should be saving and persisting the data written to it.
So, I'm looking at refactoring all the calls to $this->Controller->Session and replacing them with $this->Session but first I wanted to throw this out to the community and see if anybody has seen anything similar and if so how did they resolve it.
Sincerely,
Christopher.
I found the problem... I'm also using Joshua McNeese's Permissionable plugin and I needed to disable it for the $this->Controller->{$this->userModel}->findById($id); in my SimpleAuthable component when I try to lookup the current active user.
Note to self: I would have caught this faster if I had some unit testing in place :(.

Session not ending in ASP.NET

I have created an asp.net application in which i have used global.asax. I have created a static class which stores user information such as LoginID, CompanyID etc using properties. A property IsLoggedIn indicates whether user logged in or not. I have created a method ResetAll() within the same class to reset those properties.
The problem is that if the user directly closes the browser window without logging off the property values are not resetted. Therefore if the user opens a new browser window, the user is logged in automatically. I have also called ResetAll() within from Session_End() but still it is not working. Could someone explain me whats wrong with that or simply how to reset the property values if the user directly closes the browser window.
If I am reading this correctly and you have a class with static members, then you are going to run into issues. With an ASP.NET web app, static members are static for the entire AppDomain, not just for an individual user, so the values would be the same no matter where the request has come from.
It sounds like what you really need to think about doing is storing an instance of the user information class in the session. That way the information is specific to that particular user. Also, that should solve your issue as the session cookie is normally removed when the browser window is closed, forcing a new session when the browser window is re-opened.
So something like:
Dim thisUser As New UserInformation()
thisUser.LoginID = someValue
Session("UserInformation") = thisUser
You cannot make the class static. Worse than keeping the user logged in across sessions is the fact you cannot have multiple users in your system. They will all share the same login information. You should read about static.
What you want is to store an instance of that class in the session and access it whenever you need.

Resources