Killing off my sessions

[Rob Meade]

Hi all,

Having created a secure login, and then create session variables to detect
wether or not a user is logged in - I would now like to be able to off a log
out page!

I have found the following three in the intelli-help stuff :

Session.Abandon()
Session.Clear()
Session.RemoveAll()

In vanilla ASP I'd have used Session.Abandon - and probably on its own - is
this still ok/good enough - should I use the lot?
Any info would be appreciated please.

Regards
Rob

 

[Alvin Bruney [MVP]]

Session clear or removeall is your best bet

 

[Rob Meade]

...

Session clear or removeall is your best bet

Hello Alvin,

Not that I dont believe you - but can you tell me why these are better than
session.abandon (just so that I have a better understanding etc)...

My need is to get rid of the session asap when the logout.aspx page loads -
so I was dumping the code into the page_load event.

Any further help is appreciated,

Regards

Rob

 

[DalePres]

I think Session.Abandon() is the best choice. The other two - Clear() and
RemoveAll() delete all session values but to not terminate the session.
Once you call Session.Abandon(), neither you, ASP.Net, nor the client will
ever be able to access those values whether or not you call Clear() or
RemoveAll().

The only one needed is Session.Abandon().

Dale

Session clear or removeall is your best bet

--
Regards,
Alvin Bruney [ASP.NET MVP]
Got tidbits? Get it here...
http://tinyurl.com/3he3b

Hi all,

Having created a secure login, and then create session variables to detect
wether or not a user is logged in - I would now like to be able to off a log
out page!

I have found the following three in the intelli-help stuff :

Session.Abandon()
Session.Clear()
Session.RemoveAll()

In vanilla ASP I'd have used Session.Abandon - and probably on its own - is
this still ok/good enough - should I use the lot?
Any info would be appreciated please.

Regards
Rob

 

[Cowboy \(Gregory A. Beamer\)]

Abandon() kills the session, so it should be adequate for killing the
session. RemoveAll() will clear out the session values without killing the
session. Clear() does the same thing.

I think the reasoning for the other methods is to force the user out when
they hit the back button. It does not work if they are running under cached
pages anyway, so it is largely an exercise in futility.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

**********************************************************************
Think Outside the Box!
**********************************************************************

 

[Patrick]

session.abandon() does fire the session_end event in global.asax - clear(),
remove() does not.

so go for session.abandon()

regards
pat

I think Session.Abandon() is the best choice. The other two - Clear() and
RemoveAll() delete all session values but to not terminate the session.
Once you call Session.Abandon(), neither you, ASP.Net, nor the client will
ever be able to access those values whether or not you call Clear() or
RemoveAll().

The only one needed is Session.Abandon().

Dale

Session clear or removeall is your best bet

--
Regards,
Alvin Bruney [ASP.NET MVP]
Got tidbits? Get it here...
http://tinyurl.com/3he3b

Hi all,

Having created a secure login, and then create session variables to detect
wether or not a user is logged in - I would now like to be able to off

a
log

out page!

I have found the following three in the intelli-help stuff :

Session.Abandon()
Session.Clear()
Session.RemoveAll()

In vanilla ASP I'd have used Session.Abandon - and probably on its

own -
is

this still ok/good enough - should I use the lot?
Any info would be appreciated please.

Regards
Rob

 

[Alvin Bruney [MVP]]

This is not correct, please see my earlier post for an explanation on why it
isn't so.

--
Regards,
Alvin Bruney [ASP.NET MVP]
Got tidbits? Get it here...
http://tinyurl.com/3he3b

session.abandon() does fire the session_end event in global.asax - clear(),
remove() does not.

so go for session.abandon()

regards
pat

I think Session.Abandon() is the best choice. The other two - Clear() and
RemoveAll() delete all session values but to not terminate the session.
Once you call Session.Abandon(), neither you, ASP.Net, nor the client will
ever be able to access those values whether or not you call Clear() or
RemoveAll().

The only one needed is Session.Abandon().

Dale

Session clear or removeall is your best bet

--
Regards,
Alvin Bruney [ASP.NET MVP]
Got tidbits? Get it here...
http://tinyurl.com/3he3b
Hi all,

Having created a secure login, and then create session variables to detect
wether or not a user is logged in - I would now like to be able to

off

a

 

[Alvin Bruney [MVP]]

This article may help clear up some of your answers.
http://www.devdex.com/gurus/articles/746.asp

 

[Alvin Bruney [MVP]]

Once you call Session.Abandon(), neither you, ASP.Net, nor the client
will

ever be able to access those values whether or not you call Clear() or
RemoveAll().

This is not technically accurate. It is possible to access session objects
even after session abandon is called. Page execution would have to totally
cease before your statement would be technically correct. The reason why I
suggested clear or removeall is because in most circumstances it would work.
Consider this: most security code cleanup is usually placed in the session
end event with a strong dependence on the uniqueness of the session id. In
this scenario, calling session abandon will lead to an application which is
not well behaved since session end isn't guaranteed to be called even in
InProc mode.

The literature on this is equally confusing as well but it's rather trivial
to write code to demonstrate this. It doesn't help also that the MSDN help
on session abandon is not accurate as well. There's a lot going on, enough
to be very cautious about giving a clear cut answer. In a nutshell, it
really depends on how your code is structured and what you want to
accomplish. If you want to clear the dictionary, any method will do equally
well. If what you are after is tracking sessions/logins/id's you have to be
very careful with which method you select.


--
Regards,
Alvin Bruney [ASP.NET MVP]
Got tidbits? Get it here...
http://tinyurl.com/3he3b

I think Session.Abandon() is the best choice. The other two - Clear() and
RemoveAll() delete all session values but to not terminate the session.
Once you call Session.Abandon(), neither you, ASP.Net, nor the client will
ever be able to access those values whether or not you call Clear() or
RemoveAll().

The only one needed is Session.Abandon().

Dale

Session clear or removeall is your best bet

--
Regards,
Alvin Bruney [ASP.NET MVP]
Got tidbits? Get it here...
http://tinyurl.com/3he3b

Hi all,

Having created a secure login, and then create session variables to detect
wether or not a user is logged in - I would now like to be able to off

a
log

out page!

I have found the following three in the intelli-help stuff :

Session.Abandon()
Session.Clear()
Session.RemoveAll()

In vanilla ASP I'd have used Session.Abandon - and probably on its

own -
is

this still ok/good enough - should I use the lot?
Any info would be appreciated please.

Regards
Rob

 

[Rob Meade]

...

It does not work if they are running under cached
pages anyway, so it is largely an exercise in futility.

Do you mean regardless of which of the above I use it'll make no difference
if their pages are cached?

In which case, should I also be adding the no cache stuff to the top of the
page (headers?) like I think I once did in ASP?

Regards

Rob

 

[Rob Meade]

...

This article may help clear up some of your answers.
http://www.devdex.com/gurus/articles/746.asp

Thanks for the reply+link - off to have a looky now.

Regards

Rob

 

[Rob Meade]

...

This article may help clear up some of your answers.
http://www.devdex.com/gurus/articles/746.asp

Hi Alvin,

I have just read that article, thank you, however I am not using the
session_end event - so does this apply? ie, I have no code in the
global.asax session_end - all I want to do is on the logout.aspx page dump
everything at that stage.

I am currently using all three methods - ie, still the same since posting
this yesterday, when I click on the logout button I get redirected to the
logout page, this then uses all three methods, and some text saying you've
been logged out is displayed.

I tested this this morning by then changing the URL at the top of the page
to a page that if the session was still alive should have let me in, instead
it redirected me to the login page.

Aside from swapping these around and testing each in turn to see if one or
more gives me the result I want (which I currently have with all 3) any
ideas on which I should be using?

Not sure how to test the cached pages stuff that was mentioned yesterday -
is that simply the browser settings for caching (ie, dont get a new page
ever) or something else I'd need to change.

Regards

Rob

 

[Cowboy \(Gregory A. Beamer\)]

Thank you for pointing out the confusion. I was not even thinking about
server cache at the time. I was focusing on the client cache from the user's
browser. When a user has IE set to cache pages, they can hit the back button
and scroll back through the pages in their cache. You can avoid this by
timing out the pages, but then it gives you the ugly "page no longer valid"
message (better than allowing them to hit a page after a session end).

The caching option on the server side is a different creature. Using the
default caching does not affect Session timing out, abandon, et al. I was
focused solely on the client side cache.



--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

**********************************************************************
Think Outside the Box!
**********************************************************************

 

[Ravichandran J.V.]

Session.Abandon() is your best bet.

with regards,


J.V.Ravichandran
- http://www.geocities.com/
jvravichandran
- http://www.411asp.net/func/search?
qry=Ravichandran+J.V.&cob=aspnetpro
- http://www.southasianoutlook.com
- http://www.MSDNAA.Net
- http://www.csharphelp.com
- http://www.poetry.com/Publications/
display.asp?ID=P3966388&BN=999&PN=2
- Or, just search on "J.V.Ravichandran"
at http://www.Google.com

 

[Rob Meade]

...

You can avoid this by timing out the pages,

using...

I think we used to use stuff like adding headers to the page in regular
ASP - same in .net?

but then it gives you the ugly "page no longer valid"
message (better than allowing them to hit a page after a session end).

Anyway to replace that page with one of my own? Or is that controlled via
the servers custom error pages etc?