Session Issue

[Li Pang]

Hi,

I created a html page from which I give a link to another web site. The new
site is opened in a new window. When I opened multiple windows, they all have
the same SessionID. I want ot know how to open the windows with different
sessionID.

Thanks

 

[Bob Barrows [MVP]]

Hi,

I created a html page from which I give a link to another web site.
The new site is opened in a new window. When I opened multiple
windows, they all have the same SessionID. I want ot know how to open
the windows with different sessionID.

Thanks

Put a Session.Abandon statement in the page opened in the new window.

Bob Barrows

 

[Li Pang]

Thanks Bob,

It works when I added Session.Abandon in the called page. Should I add it
into Global.asa in the Session_OnStart function?

 

[Bob Barrows [MVP]]

No, that will have no effect on the situation you are working with. The
session has already started ...

 

[Li Pang]

Hi Bob,

You said that “The session has already startedâ€. Is it still true if the
calling page and the called page are located at the different servers?

How the session really works?
If the calling page A calls the called page B then the session of page B
started (from the server B).
If the calling page A calls second time the page B, how the asp or iis knows
that the session has been already started?

Is the session of page B depends on the parent page A?
Is that possible to use the javascript function “window.open†enforcing to
open a new sessions?

Thanks in advance

 

[Bob Barrows [MVP]]

Hi Bob,

You said that "The session has already started". Is it still true if
the calling page and the called page are located at the different
servers?

If they are on different servers, then, by definition, they cannot have the
same session.
There is no point in abandoning a session in Session_OnStart because that
event only fires when a session is starting.

How the session really works?
If the calling page A calls the called page B then the session of
page B started (from the server B).

Correct. A new session starts on server B

If the calling page A calls second time the page B, how the asp or
iis knows that the session has been already started?

Because the server B session cookie still exists on the user's machine.

Is the session of page B depends on the parent page A?

No. the session depends on a session cookie written to the user's machine by
server B.
The session cookies remain until all browser windows are closed

Is that possible to use the javascript function "window.open"
enforcing to open a new sessions?

Only by issuing a Session.Abandon call in the server-side code of the page
being called.

You could have a SessionAbandon.asp page to which you pass a querystring
argument to control a Response.Redirect statement which is executed after
the session is abandoned ...

Bob Barrows

 

[Li Pang]

Bob,

I have still an issue of session variables.

I have a web site that allows users access with different profiles
(different sets of session variables). When users start a new browser, each
login has its own set of session variables. There is an option that a user
can open multiple windows with different user’s profile (administrators), and
when the multiple windows are opened by a new browser separately, every thing
works well (i.e., no interaction between the sessions).

Now, there is an issue of session variables when users open multiple windows
from a parent page (providing a link to above web site), i.e., when open a
window with profile A, it’s OK, but when open another window with profile B,
all session variables within profile A are replaced by those of profile B.
And if a third window is opened with profile C, then all session variables in
profile A and B are replaced by those in profile C.

I put the statement “Session.Abandon†at the beginning of first page of the
web site, that changes the session ID after every login, but the interaction
between different sessions still happens.

Any ideal on that?

I appreciate your support.

 

[Li Pang]

Bob,

I give you my testing codes as below.
To reproduce the problem, do the following:
1. start test.asp, and click on Development
2. it pops up a new window. In the Login field, it shows “lpang†then click
“Submitâ€
3. Apphome.asp page shows the user id
4. click on Development link on test.asp page again
5. it pops up another window. In Login field replace “lpang†by “Bob†and
click on “Submitâ€
6. the page shows Bob as user id, now click on “refreshâ€
7. The page shows “Bob†as user id
8. Go to first page click “refreshâ€, it shows “Bob†as well (“lpang†is
overwritten)

test.asp
<html>
<head>
<meta NAME="GENERATOR" Content="Microsoft Visual Studio 6.0">
</head>

<BODY>
<TABLE WIDTH="100%" HEIGHT="100%">
<TR>
<TD><a target="_blank" href="../TestApp/app.asp">Development</a>
</TD>
</TR>
</TABLE>
</BODY>
</html>

App.asp
<%
Session.Abandon
%>
<html>
<head>
<meta NAME="GENERATOR" Content="Microsoft Visual Studio 6.0">
</head>

<BODY>
<form name="form1" name=form1 action=Apphome.asp method=POST>

<table valign="center" ALIGN="center" BORDER="0" CELLSPACING="2"
CELLPADDING="2">
<tr>
<th style='color=black' colspan="3">Login</th>

</tr>
<tr>
<td align="right">Login:</td>
<td><input type="text" name="login" class="ipText" size="20"
value="lpang"></td>
</tr>
<tr>
<td></td>
<td align="center"><a href="javascript:form1.submit();">Submit</a></td>
</tr>
</table>
</form>
</BODY>
</html>

Apphome.asp
<%
'Session.Abandon
session("uid") = request.form("login")
%>
<html>
<head>
<meta NAME="GENERATOR" Content="Microsoft Visual Studio 6.0">
</head>

<BODY>
<form name="form1" name=form1 action=Apphome.asp method=POST>

<table valign="center" ALIGN="center" BORDER="0" CELLSPACING="2"
CELLPADDING="2">
<tr>
<th style='color=black' colspan="3">Home</th>

</tr>
<tr>
<td>user id: </td>
<td><B><%=session("uid")%></B></td>
</tr>
<tr>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td align="center"><INPUT name=showinfo type=button value="Show
User"style="HEIGHT: 24px; WIDTH: 75px; cursor:hand"
onclick="alert('<%=session("uid")%>');"></td>
</tr>
<TR>
<TD align="center"><a href="App2.asp">refresh</a></TD>
</TR>
</table>
</form>
</BODY>
</html>

App2.asp
<%
'Session.Abandon
'session("uid") = "XXX"
%>
<html>
<head>
<meta NAME="GENERATOR" Content="Microsoft Visual Studio 6.0">
</head>

<BODY>
<form name="form1" name=form1 action=App2.asp method=POST>

<table valign="center" ALIGN="center" BORDER="0" CELLSPACING="2"
CELLPADDING="2">
<tr>
<th style='color=black' colspan="3">Home</th>

</tr>
<tr>
<td>user id: </td>
<td><B><%=session("uid")%></B></td>
</tr>
<tr>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td align="center"><INPUT name=showinfo type=button value="Show User"
style="HEIGHT: 24px; WIDTH: 75px; cursor:hand"
onclick="alert('<%=session("uid")%>');"></td>
</tr>
</table>
</form>
</BODY>
</html>

 

[Bob Barrows [MVP]]

The page in which you issue Session.Abandon must immediately redirect to
another page. The Session is not destroyed until the page in which the
statement is issued finishes processing.

 

[Li Pang]

Bob,

In reality, I don't want to kill any sessions. My concern is to keep every
set of session within its own window. There is an issue of session shared
within multiple windows. My filling is that the server checks the IE instance
or id of client, as long as the same parameter found, it uses the same set of
session. I can't find the reason that IE does that.

 

[Bob Barrows [MVP]]

I think I am beginning to understand.
I may be wrong, but I don't think it is possible for multiple sessions to be
spawned for the same application from a single web server on a single client
machine. This would probably be a security breach, enabling sessions to be
hijacked.

You should check with the experts over at .inetserver.iis, but I think you
will need to find another way to maintain your session state for your
applications.