Can I end some users session in ASP.NET Webform application, if I have user's the SessionId? I would do this as a web service call.
The line:-
HttpContext.Current.Sesssion.Abandon();
will end the users session. You would need to do this by injecting the correct ASP.NET session cookie in the request if you are not calling this from the client that is already using the session.
If you wish to terminate a user's session then you can call a page-method via ajax that calls Session.abandon() and upon completion of the call redirect the user to login page.
You have potentially three options.
If you are using a SQL Server database to house your session state, you can easily navigate through that and delete the row specific tot hat user. Thus clearing their session.
Add code to your base page to check a file or database to see if that users session should be cleared.
Since you know the users session id, you may be able to visit the site yourself and then hack your ASP.Net Session cookie to have your session id be the same. Then you'd have to visit a page that calls the Sesssion.Abandon(); call. Though I am not sure if security limitations on the .NET side would allow this.
Related
My requirement is user should not log in from multiple browser or system simultaneously in application. For this I maintained the flag in database, so whenever user is logged in I am updating flag as yes and when he logged out I am updating it as no.
My issue is if user close the browser window without logging out from application then I am unable to update the flag. So next time when user try to logging in application, It is saying user is already logged in.
I tried using Onbeforeunload event in master page, but whenever I am changing the menu in my application. It is firing that event. For updating the flag I used page methods. But this is not working properly.
I would say, send often via a ajax call to your API that a 'ping' to confirm you are still online. If there is no ping or page change after 3 minutes, I consider the user has been logged off and it sets him as "logged off" in database.
At least, I do this using javascript, but i'm sure you can also in your client-side part of the ASP.NET app you are making.
You can't handle this only by client-side code, using e.g. beforeunload, because the page/browser may be closed for many reasons (e.g. lack of electricity).
What you can do is:
Scheduler on your backend which verifies whether an user did some action since e.g. 1min. In that case you have to update information about user action in your DB after every ajax requests (Hugo Regibo suggested ping requests).
Disadvantage od this solution is this period - when an user turns off the page then he will be not able to log in again for 1min.
Instead of a scheduler you can verify logged-in users (I assume you keep them in a DB table) after each requests.
Use web sockets, you will have continuous connection and you will be notified about closed connection immediately. Disadvantage of this is web sockets don't scale so good as stateless HTTP.
Besides that I don't know whether you use iis with a session provider or not? And when an user closes the page and opens it again should be able to log in with his saved credentials. You should write more of how your project looks like.
I would do it by saving a Session object for each login call. A session ID would then be stored in the user's cookie or authentication token. Each call to the system would validate the user via their session ID. If that session has been invalidated, they just get sent to the login prompt. Whenever the user logs in, it invalidates all of their other sessions.
This way the user could be in their browser on their machine, navigate away, close the browser, and come back to find their session still alive without having to log back in. But, if they log into another machine, then their old session would be invalidated.
I have a web application (.net VB code) that utilizes session variables to store the username (here login name) and the profile (admin/client), authentication is handeled by asp membership. The application then relies on these session variables on the load events. This application has been running fine for a couple of years. However, recently users complain about occasional error messages after logging in and attempting to load a new page that needs one of these variables. It happens most frequently Chrome, but also IE and Firefox.
Users that experience the error need to log out and clear the browsing history, after that it works again. The error is not easy to replicate - I was able to trigger it on my machine 'violently' using the 'back' button a couple of times that eventually tripped it - then I had to clear my browsing history to get the application to work again.
What might cause this to happen?
the session gets set on the load event of the 'login' page with 'Session("Type") = "Admin"' and subsequent pages check for the value of Session "Type"
I understand that I could use a cookie instead, but I chose not to for security reasons. Could this be prevented using a cookie instead? or do I need to use the membership.getuser method to get the username and then look up the values in the database? That does not seem efficient.
Ideas?
FYI, the ASP.NET Session ID is stored in a cookie that travels back and forth with each request/response. The actual session state values for a given session are not stored in cookies ... they are stored on the server only. They could be stored in memory, or in a SQL database, depending on how you've configured ASP.NET Session State.
But Session State can get destroyed for a variety of reasons. IIS might suddenly decide to restart your Application Pool, for example, in which case all your Session State would be gone.
Basically, you need to write your web app to always handle the possibility that Session State may be empty. If it is empty, then you probably need to redirect the user to the login screen to enter his credentials again.
Clearing the browsing history should have no effect, so I can't explain why that would help get past the problem.
EDIT
This problem seems to have strangely disappeared. There must've been something funky with my environment. I'm voting to close this question.
When a user logs in, I inflate the session with a bunch of data from the Login page code-behind. Then I redirect the user to a different page in the application. I also have some session recovery logic which re-inflates the session based on the auth ticket when the user's session expires.
What seems to be happening is that I inflate the user's session with a bunch of data from the login page, then redirect them, and the request for the page to which I redirect them doesn't seem to have the session, so the application has to re-inflate it. I don't understand this - I've looked at the cookie and the session ID is not changing, and I am not resetting the session data anywhere in the code. Is this an ASP .NET 'feauture'? I'm using ASP .NET 4.0.
Edit:
To clarify: The session is inflated during the login request (on the click even of the login button). During the next request, it doesn't appear the session is populated any longer, so I end up having to re-inflate the session. Any requests that user makes after that, the session seems to "stick" and I have the properly inflated session for subsequent requests.
To answer your question SessionState data is independent of login/logout.
There are several reasons why data might "disappear" from SessionState.
If you are using InProc SessionState on a web farm, the user may have a subsequent request be served by a different machine in the farm.
SessionState can clear if it gets too full (like a cache).
If you are using a custom SessionStateStoreProvider, it may not be saving/retrieving the SessionState properly.
When a session is timed out in asp.net application, we need to close all the web pages those are already opened by a user.
Each page has sign out link. When the user click on that link, the home page is redirected to that page.
In this case, the other opened pages also needs to be closed.
How can we do this?
For all pages:
AJAX call back to server to check whether Session has expired.
Parse result from AJAX
If session ended then close window or redirect to logged out page.
On the second thought... we can use what #thephpdeveloper said, particularly when user signs out formally... (like clicking the signout button) Once After a formal Sign out happens... Such Ajax Call back can be used, cause the session will be valid but there will not be any user... Using this we can signal the page and close the browser window
As Razzie commented, doing an AJAX callback to the same web-application will keep the session alive. Using a web-service also won't solve the problem.
This solution avoids keeping the session alive:
Store every session in the database. This could be done in the Session_Start event in the Global.asax or after the log-in.
Delete timed-out sessions from the database in the Session_End event in your Global.asax file or after the log-out.
Do a periodical AJAX callback to a different web-application, e.g. a web running on a sub-domain, to check in the database if the session still exists.
I suggest you use the SessionID to identify the sessions.
I have an ASP .NET information and I currently have session state turned off so I can't exactly hook into the session start event within the Global.asax. I want to get at this data, when someone comes to a site, and when they would normally start a session. What is the event that is fired to start a session so that I could hook into it and get at that data?
Without having sessions turned on then every request is a new session. So whatever event you like :)
Unless you're dropping a cookie which acts as a session cookie then there is no way to know if a visitor has been there before.