Killing off my sessions

Re: Killing off my sessions

Session clear or removeall is your best bet

--
Regards,
Alvin Bruney [ASP.NET MVP]
Got tidbits? Get it here...

"Rob Meade" <robert.meade@N OSPAMubht.swest .nhs.uk> wrote in message
news:%23hYbM5Z6 DHA.1968@TK2MSF TNGP11.phx.gbl. ..[color=blue]
> Hi all,
>
> Having created a secure login, and then create session variables to detect
> wether or not a user is logged in - I would now like to be able to off a[/color]
log[color=blue]
> out page! :)
>
> I have found the following three in the intelli-help stuff :
>
> Session.Abandon ()
> Session.Clear()
> Session.RemoveA ll()
>
> In vanilla ASP I'd have used Session.Abandon - and probably on its own -[/color]
is[color=blue]
> this still ok/good enough - should I use the lot?
> Any info would be appreciated please.
>
> Regards
> Rob
>
>[/color]

Re: Killing off my sessions

"Alvin Bruney [MVP]" wrote ...
[color=blue]
> Session clear or removeall is your best bet[/color]

Hello Alvin,

Not that I dont believe you - but can you tell me why these are better than
session.abandon (just so that I have a better understanding etc)...

My need is to get rid of the session asap when the logout.aspx page loads -
so I was dumping the code into the page_load event.

Any further help is appreciated,

Regards

Rob

Re: Killing off my sessions

I think Session.Abandon () is the best choice. The other two - Clear() and
RemoveAll() delete all session values but to not terminate the session.
Once you call Session.Abandon (), neither you, ASP.Net, nor the client will
ever be able to access those values whether or not you call Clear() or
RemoveAll().

The only one needed is Session.Abandon ().

Dale

"Alvin Bruney [MVP]" <vapor at steaming post office> wrote in message
news:OTkPZGa6DH A.1968@TK2MSFTN GP11.phx.gbl...[color=blue]
> Session clear or removeall is your best bet
>
> --
> Regards,
> Alvin Bruney [ASP.NET MVP]
> Got tidbits? Get it here...
> http://tinyurl.com/3he3b
> "Rob Meade" <robert.meade@N OSPAMubht.swest .nhs.uk> wrote in message
> news:%23hYbM5Z6 DHA.1968@TK2MSF TNGP11.phx.gbl. ..[color=green]
> > Hi all,
> >
> > Having created a secure login, and then create session variables to[/color][/color]
detect[color=blue][color=green]
> > wether or not a user is logged in - I would now like to be able to off a[/color]
> log[color=green]
> > out page! :)
> >
> > I have found the following three in the intelli-help stuff :
> >
> > Session.Abandon ()
> > Session.Clear()
> > Session.RemoveA ll()
> >
> > In vanilla ASP I'd have used Session.Abandon - and probably on its own -[/color]
> is[color=green]
> > this still ok/good enough - should I use the lot?
> > Any info would be appreciated please.
> >
> > Regards
> > Rob
> >
> >[/color]
>
>[/color]

Re: Killing off my sessions

Abandon() kills the session, so it should be adequate for killing the
session. RemoveAll() will clear out the session values without killing the
session. Clear() does the same thing.

I think the reasoning for the other methods is to force the user out when
they hit the back button. It does not work if they are running under cached
pages anyway, so it is largely an exercise in futility.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

*************** *************** *************** *************** **********
Think Outside the Box!
*************** *************** *************** *************** **********
"Rob Meade" <robert.meade@N OSPAMubht.swest .nhs.uk> wrote in message
news:%23hYbM5Z6 DHA.1968@TK2MSF TNGP11.phx.gbl. ..[color=blue]
> Hi all,
>
> Having created a secure login, and then create session variables to detect
> wether or not a user is logged in - I would now like to be able to off a[/color]
log[color=blue]
> out page! :)
>
> I have found the following three in the intelli-help stuff :
>
> Session.Abandon ()
> Session.Clear()
> Session.RemoveA ll()
>
> In vanilla ASP I'd have used Session.Abandon - and probably on its own -[/color]
is[color=blue]
> this still ok/good enough - should I use the lot?
> Any info would be appreciated please.
>
> Regards
> Rob
>
>[/color]

Re: Killing off my sessions

session.abandon () does fire the session_end event in global.asax - clear(),
remove() does not.

so go for session.abandon ()

regards
pat
"DalePres" <don-t-spa-m-me@lea-ve-me-a-lone--.com> wrote in message
news:#deJFia6DH A.3288@TK2MSFTN GP11.phx.gbl...[color=blue]
> I think Session.Abandon () is the best choice. The other two - Clear() and
> RemoveAll() delete all session values but to not terminate the session.
> Once you call Session.Abandon (), neither you, ASP.Net, nor the client[/color]
will[color=blue]
> ever be able to access those values whether or not you call Clear() or
> RemoveAll().
>
> The only one needed is Session.Abandon ().
>
> Dale
>
> "Alvin Bruney [MVP]" <vapor at steaming post office> wrote in message
> news:OTkPZGa6DH A.1968@TK2MSFTN GP11.phx.gbl...[color=green]
> > Session clear or removeall is your best bet
> >
> > --
> > Regards,
> > Alvin Bruney [ASP.NET MVP]
> > Got tidbits? Get it here...
> > http://tinyurl.com/3he3b
> > "Rob Meade" <robert.meade@N OSPAMubht.swest .nhs.uk> wrote in message
> > news:%23hYbM5Z6 DHA.1968@TK2MSF TNGP11.phx.gbl. ..[color=darkred]
> > > Hi all,
> > >
> > > Having created a secure login, and then create session variables to[/color][/color]
> detect[color=green][color=darkred]
> > > wether or not a user is logged in - I would now like to be able to off[/color][/color][/color]
a[color=blue][color=green]
> > log[color=darkred]
> > > out page! :)
> > >
> > > I have found the following three in the intelli-help stuff :
> > >
> > > Session.Abandon ()
> > > Session.Clear()
> > > Session.RemoveA ll()
> > >
> > > In vanilla ASP I'd have used Session.Abandon - and probably on its[/color][/color][/color]
own -[color=blue][color=green]
> > is[color=darkred]
> > > this still ok/good enough - should I use the lot?
> > > Any info would be appreciated please.
> > >
> > > Regards
> > > Rob
> > >
> > >[/color]
> >
> >[/color]
>
>[/color]

Re: Killing off my sessions

This is not correct, please see my earlier post for an explanation on why it
isn't so.

--
Regards,
Alvin Bruney [ASP.NET MVP]
Got tidbits? Get it here...

"Patrick" <patrick@nn.com > wrote in message
news:ucoCeOd6DH A.2952@tk2msftn gp13.phx.gbl...[color=blue]
> session.abandon () does fire the session_end event in global.asax -[/color]
clear(),[color=blue]
> remove() does not.
>
> so go for session.abandon ()
>
> regards
> pat
> "DalePres" <don-t-spa-m-me@lea-ve-me-a-lone--.com> wrote in message
> news:#deJFia6DH A.3288@TK2MSFTN GP11.phx.gbl...[color=green]
> > I think Session.Abandon () is the best choice. The other two - Clear()[/color][/color]
and[color=blue][color=green]
> > RemoveAll() delete all session values but to not terminate the session.
> > Once you call Session.Abandon (), neither you, ASP.Net, nor the client[/color]
> will[color=green]
> > ever be able to access those values whether or not you call Clear() or
> > RemoveAll().
> >
> > The only one needed is Session.Abandon ().
> >
> > Dale
> >
> > "Alvin Bruney [MVP]" <vapor at steaming post office> wrote in message
> > news:OTkPZGa6DH A.1968@TK2MSFTN GP11.phx.gbl...[color=darkred]
> > > Session clear or removeall is your best bet
> > >
> > > --
> > > Regards,
> > > Alvin Bruney [ASP.NET MVP]
> > > Got tidbits? Get it here...
> > > http://tinyurl.com/3he3b
> > > "Rob Meade" <robert.meade@N OSPAMubht.swest .nhs.uk> wrote in message
> > > news:%23hYbM5Z6 DHA.1968@TK2MSF TNGP11.phx.gbl. ..
> > > > Hi all,
> > > >
> > > > Having created a secure login, and then create session variables to[/color]
> > detect[color=darkred]
> > > > wether or not a user is logged in - I would now like to be able to[/color][/color][/color]
off[color=blue]
> a[color=green][color=darkred]
> > > log
> > > > out page! :)
> > > >
> > > > I have found the following three in the intelli-help stuff :
> > > >
> > > > Session.Abandon ()
> > > > Session.Clear()
> > > > Session.RemoveA ll()
> > > >
> > > > In vanilla ASP I'd have used Session.Abandon - and probably on its[/color][/color]
> own -[color=green][color=darkred]
> > > is
> > > > this still ok/good enough - should I use the lot?
> > > > Any info would be appreciated please.
> > > >
> > > > Regards
> > > > Rob
> > > >
> > > >
> > >
> > >[/color]
> >
> >[/color]
>
>[/color]

Re: Killing off my sessions

This article may help clear up some of your answers.


--
Regards,
Alvin Bruney [ASP.NET MVP]
Got tidbits? Get it here...

"Rob Meade" <robert.meade@N OSPAMubht.swest .nhs.uk> wrote in message
news:%23iBAaKa6 DHA.2568@TK2MSF TNGP10.phx.gbl. ..[color=blue]
> "Alvin Bruney [MVP]" wrote ...
>[color=green]
> > Session clear or removeall is your best bet[/color]
>
> Hello Alvin,
>
> Not that I dont believe you - but can you tell me why these are better[/color]
than[color=blue]
> session.abandon (just so that I have a better understanding etc)...
>
> My need is to get rid of the session asap when the logout.aspx page[/color]
loads -[color=blue]
> so I was dumping the code into the page_load event.
>
> Any further help is appreciated,
>
> Regards
>
> Rob
>
>[/color]

Re: Killing off my sessions

> Once you call Session.Abandon (), neither you, ASP.Net, nor the client
will[color=blue]
> ever be able to access those values whether or not you call Clear() or
> RemoveAll().[/color]

This is not technically accurate. It is possible to access session objects
even after session abandon is called. Page execution would have to totally
cease before your statement would be technically correct. The reason why I
suggested clear or removeall is because in most circumstances it would work.
Consider this: most security code cleanup is usually placed in the session
end event with a strong dependence on the uniqueness of the session id. In
this scenario, calling session abandon will lead to an application which is
not well behaved since session end isn't guaranteed to be called even in
InProc mode.

The literature on this is equally confusing as well but it's rather trivial
to write code to demonstrate this. It doesn't help also that the MSDN help
on session abandon is not accurate as well. There's a lot going on, enough
to be very cautious about giving a clear cut answer. In a nutshell, it
really depends on how your code is structured and what you want to
accomplish. If you want to clear the dictionary, any method will do equally
well. If what you are after is tracking sessions/logins/id's you have to be
very careful with which method you select.


--
Regards,
Alvin Bruney [ASP.NET MVP]
Got tidbits? Get it here...

"DalePres" <don-t-spa-m-me@lea-ve-me-a-lone--.com> wrote in message
news:%23deJFia6 DHA.3288@TK2MSF TNGP11.phx.gbl. ..[color=blue]
> I think Session.Abandon () is the best choice. The other two - Clear() and
> RemoveAll() delete all session values but to not terminate the session.
> Once you call Session.Abandon (), neither you, ASP.Net, nor the client[/color]
will[color=blue]
> ever be able to access those values whether or not you call Clear() or
> RemoveAll().
>
> The only one needed is Session.Abandon ().
>
> Dale
>
> "Alvin Bruney [MVP]" <vapor at steaming post office> wrote in message
> news:OTkPZGa6DH A.1968@TK2MSFTN GP11.phx.gbl...[color=green]
> > Session clear or removeall is your best bet
> >
> > --
> > Regards,
> > Alvin Bruney [ASP.NET MVP]
> > Got tidbits? Get it here...
> > http://tinyurl.com/3he3b
> > "Rob Meade" <robert.meade@N OSPAMubht.swest .nhs.uk> wrote in message
> > news:%23hYbM5Z6 DHA.1968@TK2MSF TNGP11.phx.gbl. ..[color=darkred]
> > > Hi all,
> > >
> > > Having created a secure login, and then create session variables to[/color][/color]
> detect[color=green][color=darkred]
> > > wether or not a user is logged in - I would now like to be able to off[/color][/color][/color]
a[color=blue][color=green]
> > log[color=darkred]
> > > out page! :)
> > >
> > > I have found the following three in the intelli-help stuff :
> > >
> > > Session.Abandon ()
> > > Session.Clear()
> > > Session.RemoveA ll()
> > >
> > > In vanilla ASP I'd have used Session.Abandon - and probably on its[/color][/color][/color]
own -[color=blue][color=green]
> > is[color=darkred]
> > > this still ok/good enough - should I use the lot?
> > > Any info would be appreciated please.
> > >
> > > Regards
> > > Rob
> > >
> > >[/color]
> >
> >[/color]
>
>[/color]

Re: Killing off my sessions

"Cowboy (Gregory A. Beamer)" wrote ...
[color=blue]
> It does not work if they are running under cached
> pages anyway, so it is largely an exercise in futility.[/color]

Do you mean regardless of which of the above I use it'll make no difference
if their pages are cached?

In which case, should I also be adding the no cache stuff to the top of the
page (headers?) like I think I once did in ASP?

Regards

Rob

Re: Killing off my sessions

"Alvin Bruney [MVP]" wrote ...
[color=blue]
> This article may help clear up some of your answers.
> http://www.devdex.com/gurus/articles/746.asp[/color]

Thanks for the reply+link - off to have a looky now.

Regards

Rob

Re: Killing off my sessions

"Alvin Bruney [MVP]" wrote ...
[color=blue]
> This article may help clear up some of your answers.
> http://www.devdex.com/gurus/articles/746.asp[/color]

Hi Alvin,

I have just read that article, thank you, however I am not using the
session_end event - so does this apply? ie, I have no code in the
global.asax session_end - all I want to do is on the logout.aspx page dump
everything at that stage.

I am currently using all three methods - ie, still the same since posting
this yesterday, when I click on the logout button I get redirected to the
logout page, this then uses all three methods, and some text saying you've
been logged out is displayed.

I tested this this morning by then changing the URL at the top of the page
to a page that if the session was still alive should have let me in, instead
it redirected me to the login page.

Aside from swapping these around and testing each in turn to see if one or
more gives me the result I want (which I currently have with all 3) any
ideas on which I should be using?

Not sure how to test the cached pages stuff that was mentioned yesterday -
is that simply the browser settings for caching (ie, dont get a new page
ever) or something else I'd need to change.

Regards

Rob

Re: Killing off my sessions

Thank you for pointing out the confusion. I was not even thinking about
server cache at the time. I was focusing on the client cache from the user's
browser. When a user has IE set to cache pages, they can hit the back button
and scroll back through the pages in their cache. You can avoid this by
timing out the pages, but then it gives you the ugly "page no longer valid"
message (better than allowing them to hit a page after a session end).

The caching option on the server side is a different creature. Using the
default caching does not affect Session timing out, abandon, et al. I was
focused solely on the client side cache.



--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

*************** *************** *************** *************** **********
Think Outside the Box!
*************** *************** *************** *************** **********
"Rob Meade" <robert.meade@N OSPAMubht.swest .nhs.uk> wrote in message
news:OATiSGj6DH A.1852@TK2MSFTN GP10.phx.gbl...[color=blue]
> "Cowboy (Gregory A. Beamer)" wrote ...
>[color=green]
> > It does not work if they are running under cached
> > pages anyway, so it is largely an exercise in futility.[/color]
>
> Do you mean regardless of which of the above I use it'll make no[/color]
difference[color=blue]
> if their pages are cached?
>
> In which case, should I also be adding the no cache stuff to the top of[/color]
the[color=blue]
> page (headers?) like I think I once did in ASP?
>
> Regards
>
> Rob
>
>[/color]

Re: Killing off my sessions

Session.Abandon () is your best bet.

with regards,


J.V.Ravichandra n
- http://www.geocities.com/
jvravichandran
- http://www.411asp.net/func/search?
qry=Ravichandra n+J.V.&cob=aspn etpro
- http://www.southasianoutlook.com
- http://www.MSDNAA.Net
- http://www.csharphelp.com
- http://www.poetry.com/Publications/
display.asp?ID= P3966388&BN=999 &PN=2
- Or, just search on "J.V.Ravichandr an"
at http://www.Google.com

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Re: Killing off my sessions

"Cowboy (Gregory A. Beamer)" wrote ...
[color=blue]
> You can avoid this by timing out the pages,[/color]

using...

I think we used to use stuff like adding headers to the page in regular
ASP - same in .net?
[color=blue]
> but then it gives you the ugly "page no longer valid"
> message (better than allowing them to hit a page after a session end).[/color]

Anyway to replace that page with one of my own? Or is that controlled via
the servers custom error pages etc?