|
dev
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Session Times Out but still logged in with login control?I have a couple items I keep in session variables (using server memory) that
I can't pass across the address line. I've done everything I can find to extend the sessions as long as possible but eventually the session will time out. I didn't want to use SQL to hold my session information as this is a single server enviroment with plenty of memory and I don't want to slow my application down by waiting on SQL or have an additional dependency. A new application I built uses the ASP.NET 2005 Login Controls. What I noticed is that when I loose my session, I'm still logged in. I don't know much about the login controls but assumed they were session based and would vanish with my session. So my question is, can anyone explain why I'm not loosing my login and how it is being managed that it stays after my session is gone. Maybe I should use another method such as SQL to manage my session information? Thanks for any advice! "Bishop" <nospam@nospam.com> wrote in message asp.net membership is cookie-based, not session-based.news:e6erFIdMIHA.2140@TK2MSFTNGP03.phx.gbl... > A new application I built uses the ASP.NET 2005 Login Controls. What I > noticed is that when I loose my session, I'm still logged in. I don't > know much about the login controls but assumed they were session based and > would vanish with my session. > > So my question is, can anyone explain why I'm not loosing my login and how > it is being managed that it stays after my session is gone. Maybe I > should use another method such as SQL to manage my session information? Sessions can be lost for a variety of reasons. You obviously want to minimize their use and try not to depend on things being there for long periods of time. If you absolutely need to store user info on the server for long periods of time, I think a DB is going to be the best way to go. Ah, thank you.
I tested cookies a while back but never implimented them because I was loosing the cookie at the same time the session would expire. I know that dosn't make much sense, maybe it is some configuration with my browser. If didn't persue it because of that and I was afraid that many people would have they're cookies disabled. Have you seen simular results with cookies and any idea what percentage of browsers have cookies disabled any more? In this particular site, I could indicate to users that they need to have cookies enabled to use. Hmmmm... Now that I think about it, the login controls have the "Remember Me Next Time" option that never seems to work for me but others have indicated that it works fine for them. Do I just have something set to expire cookies really fast? I'll investigate on my end but would happly take any further advice. Thanks! Show quote "Scott Roberts" <sroberts@no.spam.here-webworks-software.com> wrote in message news:Ob3$CodMIHA.3940@TK2MSFTNGP05.phx.gbl... > > "Bishop" <nospam@nospam.com> wrote in message > news:e6erFIdMIHA.2140@TK2MSFTNGP03.phx.gbl... >> A new application I built uses the ASP.NET 2005 Login Controls. What I >> noticed is that when I loose my session, I'm still logged in. I don't >> know much about the login controls but assumed they were session based >> and would vanish with my session. >> >> So my question is, can anyone explain why I'm not loosing my login and >> how it is being managed that it stays after my session is gone. Maybe I >> should use another method such as SQL to manage my session information? > > > asp.net membership is cookie-based, not session-based. > > Sessions can be lost for a variety of reasons. You obviously want to > minimize their use and try not to depend on things being there for long > periods of time. If you absolutely need to store user info on the server > for long periods of time, I think a DB is going to be the best way to go. To be honest with you, I've never really looked into "cookie-less"
authentication. I think the asp.net membership might auto-detect if cookies are disabled and automatically switch to url-rewriting. I'm not certain on that, though. I believe (and you might want to double-check me on this) that most browsers support two types of cookies these days. A "session" cookie (not sure if that's the correct term) is generally permitted under default security settings. These cookies "expire" when the browser is closed (if not sooner) and are generally considered harmless. The "persistent" cookies (those that persist even after the browser is closed) are the potentially dangerous ones and those are the ones browsers tend to block. So the "authentication" cookie is a "session" cookie ("session" on the client, not the server) while the "Remember Me" cookie is "persistent". The default expiration on the authentication cookie is 20 minutes, which just happens to coincide with the the default timeout on server sessions. This is coincidence, they are not related. You can increase the timeout on the authentication cookie to whatever you want, or set it to "never expire" in which case it will go away when the browser is closed. Show quote "Bishop" <nospam@nospam.com> wrote in message news:OeaeP2dMIHA.3852@TK2MSFTNGP06.phx.gbl... > Ah, thank you. > > I tested cookies a while back but never implimented them because I was > loosing the cookie at the same time the session would expire. I know that > dosn't make much sense, maybe it is some configuration with my browser. > If didn't persue it because of that and I was afraid that many people > would have they're cookies disabled. > > Have you seen simular results with cookies and any idea what percentage of > browsers have cookies disabled any more? In this particular site, I could > indicate to users that they need to have cookies enabled to use. > > Hmmmm... Now that I think about it, the login controls have the "Remember > Me Next Time" option that never seems to work for me but others have > indicated that it works fine for them. Do I just have something set to > expire cookies really fast? I'll investigate on my end but would happly > take any further advice. > > Thanks! > > "Scott Roberts" <sroberts@no.spam.here-webworks-software.com> wrote in > message news:Ob3$CodMIHA.3940@TK2MSFTNGP05.phx.gbl... >> >> "Bishop" <nospam@nospam.com> wrote in message >> news:e6erFIdMIHA.2140@TK2MSFTNGP03.phx.gbl... >>> A new application I built uses the ASP.NET 2005 Login Controls. What I >>> noticed is that when I loose my session, I'm still logged in. I don't >>> know much about the login controls but assumed they were session based >>> and would vanish with my session. >>> >>> So my question is, can anyone explain why I'm not loosing my login and >>> how it is being managed that it stays after my session is gone. Maybe I >>> should use another method such as SQL to manage my session information? >> >> >> asp.net membership is cookie-based, not session-based. >> >> Sessions can be lost for a variety of reasons. You obviously want to >> minimize their use and try not to depend on things being there for long >> periods of time. If you absolutely need to store user info on the server >> for long periods of time, I think a DB is going to be the best way to go. > > That's some really good information, I will read further about all this.
Thank you very much! Show quote "Scott Roberts" <sroberts@no.spam.here-webworks-software.com> wrote in message news:e96%234lfMIHA.3516@TK2MSFTNGP02.phx.gbl... > To be honest with you, I've never really looked into "cookie-less" > authentication. I think the asp.net membership might auto-detect if > cookies are disabled and automatically switch to url-rewriting. I'm not > certain on that, though. > > I believe (and you might want to double-check me on this) that most > browsers support two types of cookies these days. A "session" cookie (not > sure if that's the correct term) is generally permitted under default > security settings. These cookies "expire" when the browser is closed (if > not sooner) and are generally considered harmless. The "persistent" > cookies (those that persist even after the browser is closed) are the > potentially dangerous ones and those are the ones browsers tend to block. > > So the "authentication" cookie is a "session" cookie ("session" on the > client, not the server) while the "Remember Me" cookie is "persistent". > The default expiration on the authentication cookie is 20 minutes, which > just happens to coincide with the the default timeout on server sessions. > This is coincidence, they are not related. You can increase the timeout on > the authentication cookie to whatever you want, or set it to "never > expire" in which case it will go away when the browser is closed. > > > > "Bishop" <nospam@nospam.com> wrote in message > news:OeaeP2dMIHA.3852@TK2MSFTNGP06.phx.gbl... >> Ah, thank you. >> >> I tested cookies a while back but never implimented them because I was >> loosing the cookie at the same time the session would expire. I know >> that dosn't make much sense, maybe it is some configuration with my >> browser. If didn't persue it because of that and I was afraid that many >> people would have they're cookies disabled. >> >> Have you seen simular results with cookies and any idea what percentage >> of browsers have cookies disabled any more? In this particular site, I >> could indicate to users that they need to have cookies enabled to use. >> >> Hmmmm... Now that I think about it, the login controls have the >> "Remember Me Next Time" option that never seems to work for me but others >> have indicated that it works fine for them. Do I just have something set >> to expire cookies really fast? I'll investigate on my end but would >> happly take any further advice. >> >> Thanks! >> >> "Scott Roberts" <sroberts@no.spam.here-webworks-software.com> wrote in >> message news:Ob3$CodMIHA.3940@TK2MSFTNGP05.phx.gbl... >>> >>> "Bishop" <nospam@nospam.com> wrote in message >>> news:e6erFIdMIHA.2140@TK2MSFTNGP03.phx.gbl... >>>> A new application I built uses the ASP.NET 2005 Login Controls. What I >>>> noticed is that when I loose my session, I'm still logged in. I don't >>>> know much about the login controls but assumed they were session based >>>> and would vanish with my session. >>>> >>>> So my question is, can anyone explain why I'm not loosing my login and >>>> how it is being managed that it stays after my session is gone. Maybe >>>> I should use another method such as SQL to manage my session >>>> information? >>> >>> >>> asp.net membership is cookie-based, not session-based. >>> >>> Sessions can be lost for a variety of reasons. You obviously want to >>> minimize their use and try not to depend on things being there for long >>> periods of time. If you absolutely need to store user info on the server >>> for long periods of time, I think a DB is going to be the best way to >>> go. >> >> >  |
|||||||||||||||||||||||
Other interesting topics