When a session is timed out in asp.net application, we need to close all the web pages those are already opened by a user.
Each page has sign out link. When the user click on that link, the home page is redirected to that page.
In this case, the other opened pages also needs to be closed.
How can we do this?
For all pages:
AJAX call back to server to check whether Session has expired.
Parse result from AJAX
If session ended then close window or redirect to logged out page.
On the second thought... we can use what #thephpdeveloper said, particularly when user signs out formally... (like clicking the signout button) Once After a formal Sign out happens... Such Ajax Call back can be used, cause the session will be valid but there will not be any user... Using this we can signal the page and close the browser window
As Razzie commented, doing an AJAX callback to the same web-application will keep the session alive. Using a web-service also won't solve the problem.
This solution avoids keeping the session alive:
Store every session in the database. This could be done in the Session_Start event in the Global.asax or after the log-in.
Delete timed-out sessions from the database in the Session_End event in your Global.asax file or after the log-out.
Do a periodical AJAX callback to a different web-application, e.g. a web running on a sub-domain, to check in the database if the session still exists.
I suggest you use the SessionID to identify the sessions.
Related
My requirement is user should not log in from multiple browser or system simultaneously in application. For this I maintained the flag in database, so whenever user is logged in I am updating flag as yes and when he logged out I am updating it as no.
My issue is if user close the browser window without logging out from application then I am unable to update the flag. So next time when user try to logging in application, It is saying user is already logged in.
I tried using Onbeforeunload event in master page, but whenever I am changing the menu in my application. It is firing that event. For updating the flag I used page methods. But this is not working properly.
I would say, send often via a ajax call to your API that a 'ping' to confirm you are still online. If there is no ping or page change after 3 minutes, I consider the user has been logged off and it sets him as "logged off" in database.
At least, I do this using javascript, but i'm sure you can also in your client-side part of the ASP.NET app you are making.
You can't handle this only by client-side code, using e.g. beforeunload, because the page/browser may be closed for many reasons (e.g. lack of electricity).
What you can do is:
Scheduler on your backend which verifies whether an user did some action since e.g. 1min. In that case you have to update information about user action in your DB after every ajax requests (Hugo Regibo suggested ping requests).
Disadvantage od this solution is this period - when an user turns off the page then he will be not able to log in again for 1min.
Instead of a scheduler you can verify logged-in users (I assume you keep them in a DB table) after each requests.
Use web sockets, you will have continuous connection and you will be notified about closed connection immediately. Disadvantage of this is web sockets don't scale so good as stateless HTTP.
Besides that I don't know whether you use iis with a session provider or not? And when an user closes the page and opens it again should be able to log in with his saved credentials. You should write more of how your project looks like.
I would do it by saving a Session object for each login call. A session ID would then be stored in the user's cookie or authentication token. Each call to the system would validate the user via their session ID. If that session has been invalidated, they just get sent to the login prompt. Whenever the user logs in, it invalidates all of their other sessions.
This way the user could be in their browser on their machine, navigate away, close the browser, and come back to find their session still alive without having to log back in. But, if they log into another machine, then their old session would be invalidated.
EDIT
This problem seems to have strangely disappeared. There must've been something funky with my environment. I'm voting to close this question.
When a user logs in, I inflate the session with a bunch of data from the Login page code-behind. Then I redirect the user to a different page in the application. I also have some session recovery logic which re-inflates the session based on the auth ticket when the user's session expires.
What seems to be happening is that I inflate the user's session with a bunch of data from the login page, then redirect them, and the request for the page to which I redirect them doesn't seem to have the session, so the application has to re-inflate it. I don't understand this - I've looked at the cookie and the session ID is not changing, and I am not resetting the session data anywhere in the code. Is this an ASP .NET 'feauture'? I'm using ASP .NET 4.0.
Edit:
To clarify: The session is inflated during the login request (on the click even of the login button). During the next request, it doesn't appear the session is populated any longer, so I end up having to re-inflate the session. Any requests that user makes after that, the session seems to "stick" and I have the properly inflated session for subsequent requests.
To answer your question SessionState data is independent of login/logout.
There are several reasons why data might "disappear" from SessionState.
If you are using InProc SessionState on a web farm, the user may have a subsequent request be served by a different machine in the farm.
SessionState can clear if it gets too full (like a cache).
If you are using a custom SessionStateStoreProvider, it may not be saving/retrieving the SessionState properly.
Can I end some users session in ASP.NET Webform application, if I have user's the SessionId? I would do this as a web service call.
The line:-
HttpContext.Current.Sesssion.Abandon();
will end the users session. You would need to do this by injecting the correct ASP.NET session cookie in the request if you are not calling this from the client that is already using the session.
If you wish to terminate a user's session then you can call a page-method via ajax that calls Session.abandon() and upon completion of the call redirect the user to login page.
You have potentially three options.
If you are using a SQL Server database to house your session state, you can easily navigate through that and delete the row specific tot hat user. Thus clearing their session.
Add code to your base page to check a file or database to see if that users session should be cleared.
Since you know the users session id, you may be able to visit the site yourself and then hack your ASP.Net Session cookie to have your session id be the same. Then you'd have to visit a page that calls the Sesssion.Abandon(); call. Though I am not sure if security limitations on the .NET side would allow this.
For example I have a web application using jQuery as a framework on the client side. Now most of the pages are functional by means of using AJAX and communicate to the server by means of using Generic Handlers (.ashx).
Now I have a problem that I am asking this to see what is the best solution for handling these request when my user session expires.
For example, a user logged in, left his browser for 15 minutes and then he pressed a button that this will create a request to the handler, now from the server side when I try to read a session variable obviously it will be empty (session expired). What is the best way to redirect the user back to the login page.
We address this situation by a slightly different approach. Instead of trying to make all the jQuery calls deal with this kind of error condition, we have implemented a parallel timeout system on the client using javascript. A minute before the ASP.NET Session would time out, we pop up a dialog on the browser to warn the user "You have been inactive and are about to be logged out. Click here to remain logged in." We included a little countdown in the dialog also. If they click to stay logged in, we send another jQuery call to the server to reset the session timeout.
So, unless the user has javascript disabled (in which case, the app doesn't work anyway), there is not a possibility that we make a jQuery call after the ASP.NET session has timed out.
I have an ASP .NET information and I currently have session state turned off so I can't exactly hook into the session start event within the Global.asax. I want to get at this data, when someone comes to a site, and when they would normally start a session. What is the event that is fired to start a session so that I could hook into it and get at that data?
Without having sessions turned on then every request is a new session. So whatever event you like :)
Unless you're dropping a cookie which acts as a session cookie then there is no way to know if a visitor has been there before.