Is Session Always Cleared?

Discussion in 'ASP .Net' started by Jonathan Wood, Sep 25, 2008.

  1. Greetings,

    I was wondering if anyone here has a good understaning of the Session
    object. I know there are options like the Session.Abandon method and the
    regenerateExpiredSessionId setting, although I do not understand what they
    do.

    Can anyone tell me if it's possible for a recycled session to still contain
    the old data? I had a couple of reports that where users said they logged on
    and saw another user's data. On this site, there were a couple of cases
    where I used the Session object to track information about the current user.

    Thanks for any tips or links.

    Jonathan
    Jonathan Wood, Sep 25, 2008
    #1
    1. Advertising

  2. Jonathan Wood wrote:
    > Greetings,
    >
    > I was wondering if anyone here has a good understaning of the Session
    > object. I know there are options like the Session.Abandon method and the
    > regenerateExpiredSessionId setting, although I do not understand what
    > they do.
    >
    > Can anyone tell me if it's possible for a recycled session to still
    > contain the old data? I had a couple of reports that where users said
    > they logged on and saw another user's data. On this site, there were a
    > couple of cases where I used the Session object to track information
    > about the current user.
    >
    > Thanks for any tips or links.
    >
    > Jonathan
    >


    The session id is stored in a cookie in the browser, and is matched
    against the existing Session objects on the server.

    If a Session object has timed out, it's gone forever. If an expired
    session id is reused, a new empty Session object is created for it.

    A session id could possible be spoofed, but that is hardly what your
    users are doing, so the Session objects are most likely not the reason
    why some user could see some other users data.

    Are you using any static variables in your application?

    --
    Göran Andersson
    _____
    http://www.guffa.com
    Göran Andersson, Sep 25, 2008
    #2
    1. Advertising

  3. "Göran Andersson" <> wrote in message
    news:%...

    > The session id is stored in a cookie in the browser, and is matched
    > against the existing Session objects on the server.
    >
    > If a Session object has timed out, it's gone forever. If an expired
    > session id is reused, a new empty Session object is created for it.
    >
    > A session id could possible be spoofed, but that is hardly what your users
    > are doing, so the Session objects are most likely not the reason why some
    > user could see some other users data.


    Yeah, no one is trying to hack the site. So, as far as you are concerned,
    one session would never see the Session data used by another user?

    > Are you using any static variables in your application?


    No, I store any persisting data in the Session object or the database. It's
    the first big site I created (although I've been programming for many, many
    years). I'm now prepared to review my code in detail but, to be honest, I
    really have no idea what this could be.

    Note that, normally, the site works exactly as expected.

    Thanks.

    Jonathan
    Jonathan Wood, Sep 25, 2008
    #3
  4. Your problem is not session. It is more likely you have a cache issue, a
    singleton, static variables or the users are using the same computer.
    Perhaps you have something stored in application, or you have tried some
    form of global object. The session, used as a place to hang session data, is
    not a problem.

    --
    Gregory A. Beamer
    MVP, MCP: +I, SE, SD, DBA

    Subscribe to my blog
    http://feeds.feedburner.com/GregoryBeamer#

    or just read it:
    http://feeds.feedburner.com/GregoryBeamer

    ********************************************
    | Think outside the box! |
    ********************************************
    "Jonathan Wood" <> wrote in message
    news:...
    > Greetings,
    >
    > I was wondering if anyone here has a good understaning of the Session
    > object. I know there are options like the Session.Abandon method and the
    > regenerateExpiredSessionId setting, although I do not understand what they
    > do.
    >
    > Can anyone tell me if it's possible for a recycled session to still
    > contain the old data? I had a couple of reports that where users said they
    > logged on and saw another user's data. On this site, there were a couple
    > of cases where I used the Session object to track information about the
    > current user.
    >
    > Thanks for any tips or links.
    >
    > Jonathan
    >
    Cowboy \(Gregory A. Beamer\), Sep 25, 2008
    #4
  5. Thanks for the additional vote of confidence on Session.

    There is a slight possibility that at least one of the users did log on as
    other users. I will quiz them on if they might have logged on as the users
    whose data they saw when they logged on as themselves.

    I don't know that's the issue but I'll explore it. Is there as straight
    forward way to allow multiple users to log on from the same computer?

    Jonathan

    "Cowboy (Gregory A. Beamer)" <> wrote in
    message news:%...
    > Your problem is not session. It is more likely you have a cache issue, a
    > singleton, static variables or the users are using the same computer.
    > Perhaps you have something stored in application, or you have tried some
    > form of global object. The session, used as a place to hang session data,
    > is not a problem.
    >
    > --
    > Gregory A. Beamer
    > MVP, MCP: +I, SE, SD, DBA
    >
    > Subscribe to my blog
    > http://feeds.feedburner.com/GregoryBeamer#
    >
    > or just read it:
    > http://feeds.feedburner.com/GregoryBeamer
    >
    > ********************************************
    > | Think outside the box! |
    > ********************************************
    > "Jonathan Wood" <> wrote in message
    > news:...
    >> Greetings,
    >>
    >> I was wondering if anyone here has a good understaning of the Session
    >> object. I know there are options like the Session.Abandon method and the
    >> regenerateExpiredSessionId setting, although I do not understand what
    >> they do.
    >>
    >> Can anyone tell me if it's possible for a recycled session to still
    >> contain the old data? I had a couple of reports that where users said
    >> they logged on and saw another user's data. On this site, there were a
    >> couple of cases where I used the Session object to track information
    >> about the current user.
    >>
    >> Thanks for any tips or links.
    >>
    >> Jonathan
    >>

    >
    Jonathan Wood, Sep 25, 2008
    #5
  6. Jonathan Wood

    Hans Kesting Guest

    Jonathan Wood explained :
    > Thanks for the additional vote of confidence on Session.
    >
    > There is a slight possibility that at least one of the users did log on as
    > other users. I will quiz them on if they might have logged on as the users
    > whose data they saw when they logged on as themselves.
    >
    > I don't know that's the issue but I'll explore it. Is there as straight
    > forward way to allow multiple users to log on from the same computer?
    >
    > Jonathan
    >


    What exactly do you mean by "multiple users logging in from the same
    computer"?

    If there is just one user at a time then there shouldn't be a problem.
    If the first user closes his browser after he is finished, the session
    cookie is forgotten. A new browser instance will use a new session.
    When the first user logs out, you can destroy the session server side
    (Session.Abandon).

    However, two users at *the same time* from the same computer could lead
    to problems. The various browser windows could use the same cookie set.
    So when a second user opens a new window, he could be automatically
    using the session of the first user.

    I think that firefox uses the same cookieset for all it's windows. For
    IE it depends on how the new window is started.

    Hans Kesting
    Hans Kesting, Sep 25, 2008
    #6
  7. Hans,

    > What exactly do you mean by "multiple users logging in from the same
    > computer"?


    I'm sorry. It's hard to know how to better state it than that. Unless you
    clarify which part is unclear.

    > If there is just one user at a time then there shouldn't be a problem.
    > If the first user closes his browser after he is finished, the session
    > cookie is forgotten. A new browser instance will use a new session.
    > When the first user logs out, you can destroy the session server side
    > (Session.Abandon).


    Well, I don't know if it's a given that the browser was closed in between.
    But even if it was, the cookie could remain after the browser is closed.
    However, what if any data remains from that cookie is something I don't
    know.

    > However, two users at *the same time* from the same computer could lead to
    > problems. The various browser windows could use the same cookie set. So
    > when a second user opens a new window, he could be automatically using the
    > session of the first user.


    No, I'm not considering the possibility that multiple users were logging on
    to the site one the same computer at the same time.

    > I think that firefox uses the same cookieset for all it's windows. For IE
    > it depends on how the new window is started.


    In fact, the case where I have the most information about the problem (which
    isn't much) is specifically on FireFox. But I still don't see how this could
    be an issue.

    Thanks.

    Jonathan
    Jonathan Wood, Sep 25, 2008
    #7
  8. Jonathan Wood

    Hans Kesting Guest

    on 25-9-2008, Jonathan Wood supposed :
    > Hans,
    >
    >> What exactly do you mean by "multiple users logging in from the same
    >> computer"?

    >
    > I'm sorry. It's hard to know how to better state it than that. Unless you
    > clarify which part is unclear.
    >


    I gave some possibilities below

    >> If there is just one user at a time then there shouldn't be a problem.
    >> If the first user closes his browser after he is finished, the session
    >> cookie is forgotten. A new browser instance will use a new session.
    >> When the first user logs out, you can destroy the session server side
    >> (Session.Abandon).

    >
    > Well, I don't know if it's a given that the browser was closed in between.
    > But even if it was, the cookie could remain after the browser is closed.
    > However, what if any data remains from that cookie is something I don't know.
    >


    The session cookie has no expiry-date so the browser treats it as a
    temporary cookie. It does not get stored and disappears as soon as the
    browser is closed.

    >> However, two users at *the same time* from the same computer could lead to
    >> problems. The various browser windows could use the same cookie set. So
    >> when a second user opens a new window, he could be automatically using the
    >> session of the first user.

    >
    > No, I'm not considering the possibility that multiple users were logging on
    > to the site one the same computer at the same time.
    >
    >> I think that firefox uses the same cookieset for all it's windows. For IE
    >> it depends on how the new window is started.

    >
    > In fact, the case where I have the most information about the problem (which
    > isn't much) is specifically on FireFox. But I still don't see how this could
    > be an issue.
    >


    A guess: the first user did not log out and did not close his browser
    window, but minimised it. The second user thought he started a fresh
    instance of the browser but got a new window of the first instance,
    with the session cookie (and thus the session) of the first user.

    > Thanks.
    >
    > Jonathan
    Hans Kesting, Sep 25, 2008
    #8
  9. Hans,

    > The session cookie has no expiry-date so the browser treats it as a
    > temporary cookie. It does not get stored and disappears as soon as the
    > browser is closed.


    So what do you know about what happens if the browse is not closed? If the
    user enters their username and password, can you think of any way they'd
    still see data from the previous login?

    > A guess: the first user did not log out and did not close his browser
    > window, but minimised it. The second user thought he started a fresh
    > instance of the browser but got a new window of the first instance, with
    > the session cookie (and thus the session) of the first user.


    But it seems quite certain that the second user (actually, it's one person
    but I'll leave the details out) logged in using the Login control. Can you
    think of any way that could happen without resetting the session?

    Thanks.

    Jonathan
    Jonathan Wood, Sep 25, 2008
    #9
  10. What normally happens in these scenarios is user 2 (or user 1 logging in as
    user 2) spawns a second browser instance using File >> N (or control + N).
    This puts the second instance in the process space for the first instance.
    They then use the site under that context and switch back to context 1. Or
    user 1 comes back and instance 1 is still open.

    You see it a lot in testing and have to train testers to open a new browser
    instance from the start menu. This is especially true in "manager testing".

    In these cases, you are grabbing the same session.

    --
    Gregory A. Beamer
    MVP, MCP: +I, SE, SD, DBA

    Subscribe to my blog
    http://feeds.feedburner.com/GregoryBeamer#

    or just read it:
    http://feeds.feedburner.com/GregoryBeamer

    ********************************************
    | Think outside the box! |
    ********************************************
    "Hans Kesting" <> wrote in message
    news:...
    > Jonathan Wood explained :
    >> Thanks for the additional vote of confidence on Session.
    >>
    >> There is a slight possibility that at least one of the users did log on
    >> as other users. I will quiz them on if they might have logged on as the
    >> users whose data they saw when they logged on as themselves.
    >>
    >> I don't know that's the issue but I'll explore it. Is there as straight
    >> forward way to allow multiple users to log on from the same computer?
    >>
    >> Jonathan
    >>

    >
    > What exactly do you mean by "multiple users logging in from the same
    > computer"?
    >
    > If there is just one user at a time then there shouldn't be a problem.
    > If the first user closes his browser after he is finished, the session
    > cookie is forgotten. A new browser instance will use a new session.
    > When the first user logs out, you can destroy the session server side
    > (Session.Abandon).
    >
    > However, two users at *the same time* from the same computer could lead to
    > problems. The various browser windows could use the same cookie set. So
    > when a second user opens a new window, he could be automatically using the
    > session of the first user.
    >
    > I think that firefox uses the same cookieset for all it's windows. For IE
    > it depends on how the new window is started.
    >
    > Hans Kesting
    >
    >
    Cowboy \(Gregory A. Beamer\), Sep 26, 2008
    #10
  11. Open a browser instance. Log in.

    Type Control + N. Log in in the second browser instance. As both are held in
    the same process space, the second browser affects what goes on in the first
    browser instance. Try it yourself.

    There are a few ways to circumvent this, like forcing a session abandon when
    the login page is hit, warning on log in (may hav eto be generic), but the
    best way is called User Education.

    If the user has to run as two people at one time (a manager testing your
    work, for example), tell them to start both browser instances this way:

    Start >> Internet Explorer

    Then each holds its own process space and they will not share session. They
    can also use this method:

    Start >> Internet Explorer
    Start >> Firefox
    Start >> Opera
    Start >> Safari

    and test four users at once.

    Now that I know the issue, I am very familiar with it. And unless the user
    logs out every time and forces session.abandon, it will continue to happen.

    If this is your type of user, I would also disable the back button. The
    easiest way is to use JavaScript to go forward one page in history. Then
    back takes them back to the current page. There are other tricks to do this.

    --
    Gregory A. Beamer
    MVP, MCP: +I, SE, SD, DBA

    Subscribe to my blog
    http://feeds.feedburner.com/GregoryBeamer#

    or just read it:
    http://feeds.feedburner.com/GregoryBeamer

    ********************************************
    | Think outside the box! |
    ********************************************
    "Jonathan Wood" <> wrote in message
    news:%...
    > Hans,
    >
    >> The session cookie has no expiry-date so the browser treats it as a
    >> temporary cookie. It does not get stored and disappears as soon as the
    >> browser is closed.

    >
    > So what do you know about what happens if the browse is not closed? If the
    > user enters their username and password, can you think of any way they'd
    > still see data from the previous login?
    >
    >> A guess: the first user did not log out and did not close his browser
    >> window, but minimised it. The second user thought he started a fresh
    >> instance of the browser but got a new window of the first instance, with
    >> the session cookie (and thus the session) of the first user.

    >
    > But it seems quite certain that the second user (actually, it's one person
    > but I'll leave the details out) logged in using the Login control. Can you
    > think of any way that could happen without resetting the session?
    >
    > Thanks.
    >
    > Jonathan
    >
    Cowboy \(Gregory A. Beamer\), Sep 26, 2008
    #11
  12. Heh, well "user education" is seldom an available option.

    After talking with the client, it seems unlikely that the data he
    inadvertantly saw was not for an account that he had recently logged into.
    In fact, someone else reported the problem who does not have access to any
    other accounts.

    I'm officially completely baffled as to how this could ever happen.

    Thanks.

    --
    Jonathan Wood
    SoftCircuits Programming
    http://www.softcircuits.com


    "Cowboy (Gregory A. Beamer)" <> wrote in
    message news:u803CS%...
    > Open a browser instance. Log in.
    >
    > Type Control + N. Log in in the second browser instance. As both are held
    > in the same process space, the second browser affects what goes on in the
    > first browser instance. Try it yourself.
    >
    > There are a few ways to circumvent this, like forcing a session abandon
    > when the login page is hit, warning on log in (may hav eto be generic),
    > but the best way is called User Education.
    >
    > If the user has to run as two people at one time (a manager testing your
    > work, for example), tell them to start both browser instances this way:
    >
    > Start >> Internet Explorer
    >
    > Then each holds its own process space and they will not share session.
    > They can also use this method:
    >
    > Start >> Internet Explorer
    > Start >> Firefox
    > Start >> Opera
    > Start >> Safari
    >
    > and test four users at once.
    >
    > Now that I know the issue, I am very familiar with it. And unless the user
    > logs out every time and forces session.abandon, it will continue to
    > happen.
    >
    > If this is your type of user, I would also disable the back button. The
    > easiest way is to use JavaScript to go forward one page in history. Then
    > back takes them back to the current page. There are other tricks to do
    > this.
    >
    > --
    > Gregory A. Beamer
    > MVP, MCP: +I, SE, SD, DBA
    >
    > Subscribe to my blog
    > http://feeds.feedburner.com/GregoryBeamer#
    >
    > or just read it:
    > http://feeds.feedburner.com/GregoryBeamer
    >
    > ********************************************
    > | Think outside the box! |
    > ********************************************
    > "Jonathan Wood" <> wrote in message
    > news:%...
    >> Hans,
    >>
    >>> The session cookie has no expiry-date so the browser treats it as a
    >>> temporary cookie. It does not get stored and disappears as soon as the
    >>> browser is closed.

    >>
    >> So what do you know about what happens if the browse is not closed? If
    >> the user enters their username and password, can you think of any way
    >> they'd still see data from the previous login?
    >>
    >>> A guess: the first user did not log out and did not close his browser
    >>> window, but minimised it. The second user thought he started a fresh
    >>> instance of the browser but got a new window of the first instance, with
    >>> the session cookie (and thus the session) of the first user.

    >>
    >> But it seems quite certain that the second user (actually, it's one
    >> person but I'll leave the details out) logged in using the Login control.
    >> Can you think of any way that could happen without resetting the session?
    >>
    >> Thanks.
    >>
    >> Jonathan
    >>

    >
    Jonathan Wood, Sep 27, 2008
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John

    Session cleared after Redirect

    John, Oct 28, 2005, in forum: ASP .Net
    Replies:
    4
    Views:
    1,853
    Mr Newbie
    Oct 28, 2005
  2. Replies:
    0
    Views:
    343
  3. Paul
    Replies:
    3
    Views:
    459
  4. Chad
    Replies:
    1
    Views:
    613
  5. JP SIngh

    Session variable cleared by IIS

    JP SIngh, Jul 14, 2004, in forum: ASP General
    Replies:
    2
    Views:
    183
    Aaron [SQL Server MVP]
    Jul 14, 2004
Loading...

Share This Page