Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Is Session Always Cleared?

Reply
Thread Tools

Is Session Always Cleared?

 
 
Jonathan Wood
Guest
Posts: n/a
 
      09-25-2008
Greetings,

I was wondering if anyone here has a good understaning of the Session
object. I know there are options like the Session.Abandon method and the
regenerateExpiredSessionId setting, although I do not understand what they
do.

Can anyone tell me if it's possible for a recycled session to still contain
the old data? I had a couple of reports that where users said they logged on
and saw another user's data. On this site, there were a couple of cases
where I used the Session object to track information about the current user.

Thanks for any tips or links.

Jonathan

 
Reply With Quote
 
 
 
 
Göran Andersson
Guest
Posts: n/a
 
      09-25-2008
Jonathan Wood wrote:
> Greetings,
>
> I was wondering if anyone here has a good understaning of the Session
> object. I know there are options like the Session.Abandon method and the
> regenerateExpiredSessionId setting, although I do not understand what
> they do.
>
> Can anyone tell me if it's possible for a recycled session to still
> contain the old data? I had a couple of reports that where users said
> they logged on and saw another user's data. On this site, there were a
> couple of cases where I used the Session object to track information
> about the current user.
>
> Thanks for any tips or links.
>
> Jonathan
>


The session id is stored in a cookie in the browser, and is matched
against the existing Session objects on the server.

If a Session object has timed out, it's gone forever. If an expired
session id is reused, a new empty Session object is created for it.

A session id could possible be spoofed, but that is hardly what your
users are doing, so the Session objects are most likely not the reason
why some user could see some other users data.

Are you using any static variables in your application?

--
Göran Andersson
_____
http://www.guffa.com
 
Reply With Quote
 
 
 
 
Jonathan Wood
Guest
Posts: n/a
 
      09-25-2008
"Göran Andersson" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...

> The session id is stored in a cookie in the browser, and is matched
> against the existing Session objects on the server.
>
> If a Session object has timed out, it's gone forever. If an expired
> session id is reused, a new empty Session object is created for it.
>
> A session id could possible be spoofed, but that is hardly what your users
> are doing, so the Session objects are most likely not the reason why some
> user could see some other users data.


Yeah, no one is trying to hack the site. So, as far as you are concerned,
one session would never see the Session data used by another user?

> Are you using any static variables in your application?


No, I store any persisting data in the Session object or the database. It's
the first big site I created (although I've been programming for many, many
years). I'm now prepared to review my code in detail but, to be honest, I
really have no idea what this could be.

Note that, normally, the site works exactly as expected.

Thanks.

Jonathan

 
Reply With Quote
 
Cowboy \(Gregory A. Beamer\)
Guest
Posts: n/a
 
      09-25-2008
Your problem is not session. It is more likely you have a cache issue, a
singleton, static variables or the users are using the same computer.
Perhaps you have something stored in application, or you have tried some
form of global object. The session, used as a place to hang session data, is
not a problem.

--
Gregory A. Beamer
MVP, MCP: +I, SE, SD, DBA

Subscribe to my blog
http://feeds.feedburner.com/GregoryBeamer#

or just read it:
http://feeds.feedburner.com/GregoryBeamer

********************************************
| Think outside the box! |
********************************************
"Jonathan Wood" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Greetings,
>
> I was wondering if anyone here has a good understaning of the Session
> object. I know there are options like the Session.Abandon method and the
> regenerateExpiredSessionId setting, although I do not understand what they
> do.
>
> Can anyone tell me if it's possible for a recycled session to still
> contain the old data? I had a couple of reports that where users said they
> logged on and saw another user's data. On this site, there were a couple
> of cases where I used the Session object to track information about the
> current user.
>
> Thanks for any tips or links.
>
> Jonathan
>


 
Reply With Quote
 
Jonathan Wood
Guest
Posts: n/a
 
      09-25-2008
Thanks for the additional vote of confidence on Session.

There is a slight possibility that at least one of the users did log on as
other users. I will quiz them on if they might have logged on as the users
whose data they saw when they logged on as themselves.

I don't know that's the issue but I'll explore it. Is there as straight
forward way to allow multiple users to log on from the same computer?

Jonathan

"Cowboy (Gregory A. Beamer)" <(E-Mail Removed)> wrote in
message news:%(E-Mail Removed)...
> Your problem is not session. It is more likely you have a cache issue, a
> singleton, static variables or the users are using the same computer.
> Perhaps you have something stored in application, or you have tried some
> form of global object. The session, used as a place to hang session data,
> is not a problem.
>
> --
> Gregory A. Beamer
> MVP, MCP: +I, SE, SD, DBA
>
> Subscribe to my blog
> http://feeds.feedburner.com/GregoryBeamer#
>
> or just read it:
> http://feeds.feedburner.com/GregoryBeamer
>
> ********************************************
> | Think outside the box! |
> ********************************************
> "Jonathan Wood" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Greetings,
>>
>> I was wondering if anyone here has a good understaning of the Session
>> object. I know there are options like the Session.Abandon method and the
>> regenerateExpiredSessionId setting, although I do not understand what
>> they do.
>>
>> Can anyone tell me if it's possible for a recycled session to still
>> contain the old data? I had a couple of reports that where users said
>> they logged on and saw another user's data. On this site, there were a
>> couple of cases where I used the Session object to track information
>> about the current user.
>>
>> Thanks for any tips or links.
>>
>> Jonathan
>>

>


 
Reply With Quote
 
Hans Kesting
Guest
Posts: n/a
 
      09-25-2008
Jonathan Wood explained :
> Thanks for the additional vote of confidence on Session.
>
> There is a slight possibility that at least one of the users did log on as
> other users. I will quiz them on if they might have logged on as the users
> whose data they saw when they logged on as themselves.
>
> I don't know that's the issue but I'll explore it. Is there as straight
> forward way to allow multiple users to log on from the same computer?
>
> Jonathan
>


What exactly do you mean by "multiple users logging in from the same
computer"?

If there is just one user at a time then there shouldn't be a problem.
If the first user closes his browser after he is finished, the session
cookie is forgotten. A new browser instance will use a new session.
When the first user logs out, you can destroy the session server side
(Session.Abandon).

However, two users at *the same time* from the same computer could lead
to problems. The various browser windows could use the same cookie set.
So when a second user opens a new window, he could be automatically
using the session of the first user.

I think that firefox uses the same cookieset for all it's windows. For
IE it depends on how the new window is started.

Hans Kesting


 
Reply With Quote
 
Jonathan Wood
Guest
Posts: n/a
 
      09-25-2008
Hans,

> What exactly do you mean by "multiple users logging in from the same
> computer"?


I'm sorry. It's hard to know how to better state it than that. Unless you
clarify which part is unclear.

> If there is just one user at a time then there shouldn't be a problem.
> If the first user closes his browser after he is finished, the session
> cookie is forgotten. A new browser instance will use a new session.
> When the first user logs out, you can destroy the session server side
> (Session.Abandon).


Well, I don't know if it's a given that the browser was closed in between.
But even if it was, the cookie could remain after the browser is closed.
However, what if any data remains from that cookie is something I don't
know.

> However, two users at *the same time* from the same computer could lead to
> problems. The various browser windows could use the same cookie set. So
> when a second user opens a new window, he could be automatically using the
> session of the first user.


No, I'm not considering the possibility that multiple users were logging on
to the site one the same computer at the same time.

> I think that firefox uses the same cookieset for all it's windows. For IE
> it depends on how the new window is started.


In fact, the case where I have the most information about the problem (which
isn't much) is specifically on FireFox. But I still don't see how this could
be an issue.

Thanks.

Jonathan

 
Reply With Quote
 
Hans Kesting
Guest
Posts: n/a
 
      09-25-2008
on 25-9-2008, Jonathan Wood supposed :
> Hans,
>
>> What exactly do you mean by "multiple users logging in from the same
>> computer"?

>
> I'm sorry. It's hard to know how to better state it than that. Unless you
> clarify which part is unclear.
>


I gave some possibilities below

>> If there is just one user at a time then there shouldn't be a problem.
>> If the first user closes his browser after he is finished, the session
>> cookie is forgotten. A new browser instance will use a new session.
>> When the first user logs out, you can destroy the session server side
>> (Session.Abandon).

>
> Well, I don't know if it's a given that the browser was closed in between.
> But even if it was, the cookie could remain after the browser is closed.
> However, what if any data remains from that cookie is something I don't know.
>


The session cookie has no expiry-date so the browser treats it as a
temporary cookie. It does not get stored and disappears as soon as the
browser is closed.

>> However, two users at *the same time* from the same computer could lead to
>> problems. The various browser windows could use the same cookie set. So
>> when a second user opens a new window, he could be automatically using the
>> session of the first user.

>
> No, I'm not considering the possibility that multiple users were logging on
> to the site one the same computer at the same time.
>
>> I think that firefox uses the same cookieset for all it's windows. For IE
>> it depends on how the new window is started.

>
> In fact, the case where I have the most information about the problem (which
> isn't much) is specifically on FireFox. But I still don't see how this could
> be an issue.
>


A guess: the first user did not log out and did not close his browser
window, but minimised it. The second user thought he started a fresh
instance of the browser but got a new window of the first instance,
with the session cookie (and thus the session) of the first user.

> Thanks.
>
> Jonathan



 
Reply With Quote
 
Jonathan Wood
Guest
Posts: n/a
 
      09-25-2008
Hans,

> The session cookie has no expiry-date so the browser treats it as a
> temporary cookie. It does not get stored and disappears as soon as the
> browser is closed.


So what do you know about what happens if the browse is not closed? If the
user enters their username and password, can you think of any way they'd
still see data from the previous login?

> A guess: the first user did not log out and did not close his browser
> window, but minimised it. The second user thought he started a fresh
> instance of the browser but got a new window of the first instance, with
> the session cookie (and thus the session) of the first user.


But it seems quite certain that the second user (actually, it's one person
but I'll leave the details out) logged in using the Login control. Can you
think of any way that could happen without resetting the session?

Thanks.

Jonathan

 
Reply With Quote
 
Cowboy \(Gregory A. Beamer\)
Guest
Posts: n/a
 
      09-26-2008
What normally happens in these scenarios is user 2 (or user 1 logging in as
user 2) spawns a second browser instance using File >> N (or control + N).
This puts the second instance in the process space for the first instance.
They then use the site under that context and switch back to context 1. Or
user 1 comes back and instance 1 is still open.

You see it a lot in testing and have to train testers to open a new browser
instance from the start menu. This is especially true in "manager testing".

In these cases, you are grabbing the same session.

--
Gregory A. Beamer
MVP, MCP: +I, SE, SD, DBA

Subscribe to my blog
http://feeds.feedburner.com/GregoryBeamer#

or just read it:
http://feeds.feedburner.com/GregoryBeamer

********************************************
| Think outside the box! |
********************************************
"Hans Kesting" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Jonathan Wood explained :
>> Thanks for the additional vote of confidence on Session.
>>
>> There is a slight possibility that at least one of the users did log on
>> as other users. I will quiz them on if they might have logged on as the
>> users whose data they saw when they logged on as themselves.
>>
>> I don't know that's the issue but I'll explore it. Is there as straight
>> forward way to allow multiple users to log on from the same computer?
>>
>> Jonathan
>>

>
> What exactly do you mean by "multiple users logging in from the same
> computer"?
>
> If there is just one user at a time then there shouldn't be a problem.
> If the first user closes his browser after he is finished, the session
> cookie is forgotten. A new browser instance will use a new session.
> When the first user logs out, you can destroy the session server side
> (Session.Abandon).
>
> However, two users at *the same time* from the same computer could lead to
> problems. The various browser windows could use the same cookie set. So
> when a second user opens a new window, he could be automatically using the
> session of the first user.
>
> I think that firefox uses the same cookieset for all it's windows. For IE
> it depends on how the new window is started.
>
> Hans Kesting
>
>


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Session Timeout problems-web.confg session state and IIS session s =?Utf-8?B?Um9iSEs=?= ASP .Net 4 04-11-2007 04:52 PM
Session.IsNewsSession - always again set Perry ASP .Net 0 01-04-2005 08:08 AM
Trying to create a CSS box that is always is always the width of an image placed inside it (and no wider) Deryck HTML 4 06-22-2004 08:25 PM
Session State - What does it take to establish one single ASP.NET session per "browser session" Jeff Smythe ASP .Net 3 01-02-2004 04:10 AM
How can I "know" the difference between a session timed out and a session that did session.abort? Jazzis ASP General 2 09-23-2003 07:16 AM



Advertisments