bruce barker said:
FormsAuthentication and Session are not related. you can run one without
the
other and they perform different functions.
FormsAuthentication stores a security token in a cookie, and sets it for a
onetime browser session (the browser decides when to expire it).
But is there a way to query those who were authenticated. I assume the
expiration is set by the timeout value in the web.config file.
Session Managers store session data somewhere and store a key in a cookie.
every page hit the cookie expire is updated. if you use the inproc session
manager, it times out the session and releases the session data. in some
cases the session manager may expire the data before the browser expires
the
cookie.
Does this include postbacks?
as web sites are stateless, it hard to detect who is logged in or not.
some
problems you will run into trying to track logins:
1) user navigates from site or closes browser - the server does not know
this, you have to write client code to try to detect and inform the
server.
2) if the user creates a new browser window thru the file new window - it
gets the same cookie, so the server does not know two browser are talking
to
it.
This is one of the problems I found with Mozilla (Netscape also, I assume).
If I log on using FormsAuthentication, and open a new window (before I close
the first one), I am now in both browsers. Very dangerous if you are trying
to track and control data access.
IE, doesn't do this. A new Browser has to log on again, even if there is
already one open.
3) due to nat firewall translation, the ipaddress of the client may change
between page requests.
4) an asp.net recycle clears data stored in Application and inproc
sessions
I need to find out some way to track who is still around as we have a system
that is set up on the concept of seats. Very difficult to handle if you
don't know who is there (or is potentially there - as you say they could
have closed their browser or left the site). If we allow 10 people access
to certain areas of our site at one time, we need to know who is there.
I know you can't know if someone leaves the site or just leaves turns their
browser off. But if you have a timeout of 20 minutes, there should be some
way of know who has been logged on in the last 20 minutes. I was hoping
there was a way to see if a person was their by their sessions and if their
sessions had expired, they are not there anymore.
Tom