Session or not

  • Thread starter Thread starter Morten Snedker
  • Start date Start date
M

Morten Snedker

1,000 users log in for entering data.

Which is the best way to clean up after each user? How do I end a
session properly when an explicit logout is not an option?

If the user just closes the browser will my IIS clean up
automatically, or ought I to do something explicit?

If no Session Timeout is set, is the session then infinite?

As you may see, I'm somewhat confused. :-)

Regards /Snedker
 
Which is the best way to clean up after each user? How do I end a
session properly when an explicit logout is not an option?
Click to expand...

If you want code to run then add it to the Session_End event in the
global.asax file.
If the user just closes the browser will my IIS clean up
automatically, or ought I to do something explicit?
Click to expand...

After the session timeout, IIS will destroy the session for you and call the
Session_End event.
If no Session Timeout is set, is the session then infinite?
Click to expand...

No, there is always a timeout. Think it defaults to 20 mins if you don't
change it.
 
Yep. That about sums it up.

Just a silly point for completion. You can set the Session never to time
out: but that would be a bit daft in my view.

You might also want to ensure that the Session Timeout and any Authorisation
Cookie timeout are set to the same value. By default, one of them is 20
mins, and the other is 10 IIRC, which doesn't make a lot of sense to me.

HTH

Peter
 
If the user just closes the browser will my IIS clean up
automatically, or ought I to do something explicit?
Click to expand...

Just to add to what Aidy and Peter have said, your webserver and all its
running software (IIS, ASP.NET etc) has no way of knowing if the user has
closed their browser, or has left your site...

You can try using JavaScript in the window.onunload event of your webpages,
but this is highly unreliable...
 
its common to want sessions to last days (think of a shopping cart or
wish lists). but authenication should timeout quicker.

note: only the inproc session manager fires the Session_End, which
should not be used for large production sites unless it just used for
caching (can recreate data if session lost).

-- bruce (sqlwork.com)
 
Ah yes. Good point. It just shows how ones mind can run on rails and fail
to see what's on the other tracks.

OK. That's enough for that metaphor, but thanks again for broadening my
horizons. Nice one.


Peter
 
Yes. The most reliable way, of course, if you're using Forms
Authentication, is to use FormsAuthentication.SignOut.

Won't work if someone just closes their browser, of course, but it should
be used anywhere there's any kind of event that can be handled - even if
it's only Session_End.

:)

Peter
 
Back
Top