I want to invalidate a session completely:
delete the session on the application server
reset the session ID on the web adapter
Question: What is the best way to do this?
My current idea is to delete the sid cookie and use the SessionMgrImpl:removeSession and SessionMgrImpl:removeSessionState methods to get rid of the old session data.
Update
Of course you don't want to delete the sid since there might be other sessions on the server which needs to stay active like a back office session. So resetting the webadapter session is not a good idea.
Yes, SessionMgrImpl:removeSession should work. It is also used in Method checkSessionTimeout.
Enumeration<Session> en = sessionTable.getExpiredSessions(count);
while (en.hasMoreElements())
{
Session session = en.nextElement();
removeSession(session);
}
Related
I want to update a status to my table with specific criteria (where clause) when any user logs on..
create or replace TRIGGER AUTO_COMPLETE
AFTER LOGON ON SCHEMA
BEGIN
UPDATE SESSIONS
SET SESSIONS.STATUS = 5
WHERE SESSIONS.STATUS =2
AND TO_CHAR(SESSIONS.SESSION_DATE, 'MM-DD-YYYY HH24.MM') < TO_CHAR (SYSDATE, 'MM-DD-YYYY HH24.MM');
END AUTO_COMPLETE;
Unfortunately this trigger is not fired and i have no errors!!
Apex is stateless, see first paragraph here. That means that a new database session is created for every page render or post process. I think that would make that logon trigger fire constantly when the user navigates around the application.
You could create an application process with point "After Authentication" in your application. That will fire only once for the application after the user authenticates.
Keeping this functionality separate from your database makes sense. A logon trigger will fire when you connect through sqldeveloper or over rest as well - and it will affect performance.
I think the best way is in your app settings, you can user bind variables to verify the username or another stuff.
Shared components / Security Attributes / Database Session
Or another option is to create a process after authentication
I have a web server and its session state is stored in a Sql Server. I need to change the timeout to use an external time source. How would I do this?
Ok, it's not hard to do it. I suppose you're able to read that data from the table - related, as you said, to some User Preference - and to put this data in an int:
int myTimeout = [... read from DB];
It's enough to add this line after the login procedure has been completed (or even during the procedure):
Session.Timeout = myTimeout;
Note: the Timeout is in minutes.
ASP.NET/MONO MVC2 application standard ASP.NET Web cache is used to speed up database access:
string GetName() {
// todo: dedect if data has changed and invalidate cache
var name = (string)HttpContext.Current.Cache["Name"];
if (name!=null)
return name;
name = db.Query("SELECT name from mydata");
HttpContext.Current.Cache.Insert("Name", name);
return name;
}
mydata can changed by other application.
In this case this method returns wrong data.
How to detect if data is changed and return fresh data from PostgreSql database in this case ?
It is OK to clear whole Web cache if mydata has changed.
The best way to do this is likely with LISTEN and NOTIFY.
Have your app maintain a background worker with a persistent connection to the DB. In that connection, issue a LISTEN name_changed, then wait for notifications. If npgsql supports it it might offer a callback; otherwise you'll have to poll.
Add a trigger to the name table that issues a NOTIFY name_changed.
When your background worker gets the notification it can flush the cache.
You can even use the NOTIFY payload to invalidate only changed entries selectively.
Why Session objects are not removed after Timeout period?
I am using Asp.Net 4.0 and Session state is configured as shown below.
<sessionState mode="SQLServer" cookieless="false" timeout="5"
allowCustomSqlDatabase="true"
sqlConnectionString="data source=.\SqlExpress;initial catalog=App_SessionState;user id=sa;password=xxxxxxxx"/>
If I have not activity in browser for about 10 mins, shouldn't the Session object be removed. But after 10 mins I can still access the Session variable. Am I missing something here?
EDIT:
If I access a session variable after 10 mins as shown below shouldn't I get NULL
var myObj = Session["MyKey"] as MyClass;
mObj is not NULL after 10 mins.
There's a stored procedure installed called DeleteExpiredSessions, called from the job ASPState_Job_DeleteExpiredSessions, and is executed every minute (if I read the InstallSqlState.sql file correctly).
The procedure basically calls DELETE FROM ASPStateTempSessions WHERE Expires < GETUTCDATE()
So, if objects aren't removed, check the Expires column, and verify that you're comparing with the utc date. If in doubt, do a SELECT * FROM ASPStateTempSessions WHERE Expires < GETUTCDATE(). Also, make sure that your ASPState_Job_DeleteExpiresSessions is enabled and working.
A quick (and totally unconfirmed idea); do SQL Server Express come with the SQL Agent? Is it enabled and able execute scheduled jobs?
The "session" is never "null", but after the timeout has expired, the session object is emptied (or re-instantiated), another session is automatically started (you can check this by handling SessionEnd and SessionStart events), and you will always have a reference to a session object.
Does not happen? Still you see previous session's data?
To add onto what Simon said, If there is no SQL Server Agent running there will be no clearing of session values unless a stored procedure inside of the database is actually executed.
I don't think SQL Server express has the Agent so an automated job is not possible.
If you have control of the server then I would suggest setting up a scheduled task through windows that executes the stored procedure or job that clears your expired sessions. I don't know the exact name of the stored procedure right now but it should be named fairly obvious to it's purpose.
So your options are to upgrade to a version of SQL server that has the SQL Server Agent available or set something up to manually execute the stored procedure to clear expired sessions.
Alliteratively you can use InProc sessions, which are cleared automatically. But I assumed since InProc is the default there is a reason why you switched to SQL Server.
I use SQLServer SessionState mode to store session in my ASP.NET application. It stores certain objects that are serialized/deserialized every time they are used.
If I make any changes in code of the structure of those objects and I put a new version live, any logged user will get an error, as their session objects (the old version ones) do not match the structure that the new version expects while deserializing.
Is there a way to clear all sessions at once in DB so that all active sessions expire and users are forced to log in again (and therefore all session objects are created from scratch)?
Or... Is there any other way to solve this situation?
You may try using stored procedure in SQL Server to clear all the sessions:
CREATE PROCEDURE [dbo].[DeleteSessions]
AS
DELETE [ASPState].dbo.ASPStateTempSessions
RETURN 0
You can call Session.Abandon, or Clear for every user when they hit the invalid Session object.
You can also loop through the per-user Session collection, and clear the keys that can contain "old" objects. Maybe you have a login ticket and such that you don't want to clear.
foreach (string key in Session.Keys)
{
if (!key.Equals("login"))
{
Session.Remove(key);
}
}