| Groups | Blog | Home |
dotnet framework : Session Times Out but still logged in with login control?
I can't pass across the address line. I've done everything I can find to extend the sessions as long as possible but eventually the session will time out. I didn't want to use SQL to hold my session information as this is a single server enviroment with plenty of memory and I don't want to slow my application down by waiting on SQL or have an additional dependency. A new application I built uses the ASP.NET 2005 Login Controls. What I noticed is that when I loose my session, I'm still logged in. I don't know much about the login controls but assumed they were session based and would vanish with my session. So my question is, can anyone explain why I'm not loosing my login and how it is being managed that it stays after my session is gone. Maybe I should use another method such as SQL to manage my session information? Thanks for any advice!
[quoted text, click to view] "Bishop" <nospam@nospam.com> wrote in message news:e6erFIdMIHA.2140@TK2MSFTNGP03.phx.gbl... > A new application I built uses the ASP.NET 2005 Login Controls. What I > noticed is that when I loose my session, I'm still logged in. I don't > know much about the login controls but assumed they were session based and > would vanish with my session. > > So my question is, can anyone explain why I'm not loosing my login and how > it is being managed that it stays after my session is gone. Maybe I > should use another method such as SQL to manage my session information? asp.net membership is cookie-based, not session-based. Sessions can be lost for a variety of reasons. You obviously want to minimize their use and try not to depend on things being there for long periods of time. If you absolutely need to store user info on the server for long periods of time, I think a DB is going to be the best way to go.
Ah, thank you.
I tested cookies a while back but never implimented them because I was loosing the cookie at the same time the session would expire. I know that dosn't make much sense, maybe it is some configuration with my browser. If didn't persue it because of that and I was afraid that many people would have they're cookies disabled. Have you seen simular results with cookies and any idea what percentage of browsers have cookies disabled any more? In this particular site, I could indicate to users that they need to have cookies enabled to use. Hmmmm... Now that I think about it, the login controls have the "Remember Me Next Time" option that never seems to work for me but others have indicated that it works fine for them. Do I just have something set to expire cookies really fast? I'll investigate on my end but would happly take any further advice. Thanks! "Scott Roberts" <sroberts@no.spam.here-webworks-software.com> wrote in message news:Ob3$CodMIHA.3940@TK2MSFTNGP05.phx.gbl... [quoted text, click to view] > > "Bishop" <nospam@nospam.com> wrote in message > news:e6erFIdMIHA.2140@TK2MSFTNGP03.phx.gbl... >> A new application I built uses the ASP.NET 2005 Login Controls. What I >> noticed is that when I loose my session, I'm still logged in. I don't >> know much about the login controls but assumed they were session based >> and would vanish with my session. >> >> So my question is, can anyone explain why I'm not loosing my login and >> how it is being managed that it stays after my session is gone. Maybe I >> should use another method such as SQL to manage my session information? > > > asp.net membership is cookie-based, not session-based. > > Sessions can be lost for a variety of reasons. You obviously want to > minimize their use and try not to depend on things being there for long > periods of time. If you absolutely need to store user info on the server > for long periods of time, I think a DB is going to be the best way to go.
To be honest with you, I've never really looked into "cookie-less"
authentication. I think the asp.net membership might auto-detect if cookies are disabled and automatically switch to url-rewriting. I'm not certain on that, though. I believe (and you might want to double-check me on this) that most browsers support two types of cookies these days. A "session" cookie (not sure if that's the correct term) is generally permitted under default security settings. These cookies "expire" when the browser is closed (if not sooner) and are generally considered harmless. The "persistent" cookies (those that persist even after the browser is closed) are the potentially dangerous ones and those are the ones browsers tend to block. So the "authentication" cookie is a "session" cookie ("session" on the client, not the server) while the "Remember Me" cookie is "persistent". The default expiration on the authentication cookie is 20 minutes, which just happens to coincide with the the default timeout on server sessions. This is coincidence, they are not related. You can increase the timeout on the authentication cookie to whatever you want, or set it to "never expire" in which case it will go away when the browser is closed. [quoted text, click to view] "Bishop" <nospam@nospam.com> wrote in message
news:OeaeP2dMIHA.3852@TK2MSFTNGP06.phx.gbl... > Ah, thank you. > > I tested cookies a while back but never implimented them because I was > loosing the cookie at the same time the session would expire. I know that > dosn't make much sense, maybe it is some configuration with my browser. > If didn't persue it because of that and I was afraid that many people > would have they're cookies disabled. > > Have you seen simular results with cookies and any idea what percentage of > browsers have cookies disabled any more? In this particular site, I could > indicate to users that they need to have cookies enabled to use. > > Hmmmm... Now that I think about it, the login controls have the "Remember > Me Next Time" option that never seems to work for me but others have > indicated that it works fine for them. Do I just have something set to > expire cookies really fast? I'll investigate on my end but would happly > take any further advice. > > Thanks! > > "Scott Roberts" <sroberts@no.spam.here-webworks-software.com> wrote in > message news:Ob3$CodMIHA.3940@TK2MSFTNGP05.phx.gbl... >> >> "Bishop" <nospam@nospam.com> wrote in message >> news:e6erFIdMIHA.2140@TK2MSFTNGP03.phx.gbl... >>> A new application I built uses the ASP.NET 2005 Login Controls. What I >>> noticed is that when I loose my session, I'm still logged in. I don't >>> know much about the login controls but assumed they were session based >>> and would vanish with my session. >>> >>> So my question is, can anyone explain why I'm not loosing my login and >>> how it is being managed that it stays after my session is gone. Maybe I >>> should use another method such as SQL to manage my session information? >> >> >> asp.net membership is cookie-based, not session-based. >> >> Sessions can be lost for a variety of reasons. You obviously want to >> minimize their use and try not to depend on things being there for long >> periods of time. If you absolutely need to store user info on the server >> for long periods of time, I think a DB is going to be the best way to go. > >
That's some really good information, I will read further about all this.
Thank you very much! "Scott Roberts" <sroberts@no.spam.here-webworks-software.com> wrote in message news:e96%234lfMIHA.3516@TK2MSFTNGP02.phx.gbl... [quoted text, click to view] > To be honest with you, I've never really looked into "cookie-less" > authentication. I think the asp.net membership might auto-detect if > cookies are disabled and automatically switch to url-rewriting. I'm not > certain on that, though. > > I believe (and you might want to double-check me on this) that most > browsers support two types of cookies these days. A "session" cookie (not > sure if that's the correct term) is generally permitted under default > security settings. These cookies "expire" when the browser is closed (if > not sooner) and are generally considered harmless. The "persistent" > cookies (those that persist even after the browser is closed) are the > potentially dangerous ones and those are the ones browsers tend to block. > > So the "authentication" cookie is a "session" cookie ("session" on the > client, not the server) while the "Remember Me" cookie is "persistent". > The default expiration on the authentication cookie is 20 minutes, which > just happens to coincide with the the default timeout on server sessions. > This is coincidence, they are not related. You can increase the timeout on > the authentication cookie to whatever you want, or set it to "never > expire" in which case it will go away when the browser is closed. > > > > "Bishop" <nospam@nospam.com> wrote in message > news:OeaeP2dMIHA.3852@TK2MSFTNGP06.phx.gbl... >> Ah, thank you. >> >> I tested cookies a while back but never implimented them because I was >> loosing the cookie at the same time the session would expire. I know >> that dosn't make much sense, maybe it is some configuration with my >> browser. If didn't persue it because of that and I was afraid that many >> people would have they're cookies disabled. >> >> Have you seen simular results with cookies and any idea what percentage >> of browsers have cookies disabled any more? In this particular site, I >> could indicate to users that they need to have cookies enabled to use. >> >> Hmmmm... Now that I think about it, the login controls have the >> "Remember Me Next Time" option that never seems to work for me but others >> have indicated that it works fine for them. Do I just have something set >> to expire cookies really fast? I'll investigate on my end but would >> happly take any further advice. >> >> Thanks! >> >> "Scott Roberts" <sroberts@no.spam.here-webworks-software.com> wrote in >> message news:Ob3$CodMIHA.3940@TK2MSFTNGP05.phx.gbl... >>> >>> "Bishop" <nospam@nospam.com> wrote in message >>> news:e6erFIdMIHA.2140@TK2MSFTNGP03.phx.gbl... >>>> A new application I built uses the ASP.NET 2005 Login Controls. What I >>>> noticed is that when I loose my session, I'm still logged in. I don't >>>> know much about the login controls but assumed they were session based >>>> and would vanish with my session. >>>> >>>> So my question is, can anyone explain why I'm not loosing my login and >>>> how it is being managed that it stays after my session is gone. Maybe >>>> I should use another method such as SQL to manage my session >>>> information? >>> >>> >>> asp.net membership is cookie-based, not session-based. >>> >>> Sessions can be lost for a variety of reasons. You obviously want to >>> minimize their use and try not to depend on things being there for long >>> periods of time. If you absolutely need to store user info on the server >>> for long periods of time, I think a DB is going to be the best way to >>> go. >> >> >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |