Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Question on Session Varibles 1

Status
Not open for further replies.
Fubear

Fubear

IS-IT--Management
Sep 11, 2002
299
GB
I am trying to build a custom login form, and I have managed to get it working so far.

When the user logs in, the databse is queried, and the relevant data is pulled out and inserted into two custom objects I created. The first contains all the user data,and the second contains other site wide settings, mainly customising the look and feel of the site.

I have stored these obects in session variables, and check them when each page first loads. Everything works fine like this.

I am not too sure on the security of session variables for holding this data, as I understand it HTML is a stateless protocol, so I would have thought these variables would be lost between pages. Are they stored client side? Can they be tampered with somehow? If they are on the server side, then how does the server know that the user has left the session, and thus destroy the variables.

I dont want clever users monkeying around with key values and other stuff, as that could potentially expose confidential information which would be VERY bad for us ;-)
 
Sort by date Sort by votes
Session variables are stored on the web server. There are also several places that you can set the timeout of your application (iis, virtual directory, and application level I believe). Once the timeout of the session expires, then the Session_OnEnd sub in the Global.asax fires, and all objects associated with the session are flagged for deletion.

Since the session vars are on the web server, the client's don't have direct access to them; they just get straight html back, nothing more.

hth

D'Arcy
 
Upvote 0 Downvote
Thats great thanks.
Will the session variables remain in memory after the user has left the page until the timeout period is reached - I may have to set the timeout to something high, as I expect users will spend a lot of time on a single page (>20 mins)
 
Upvote 0 Downvote
yeah, if a user leaves a page that doesnt' automatically kill the session. So the variables could still be in memory long after the user has gone.

D
 
Upvote 0 Downvote
Damn.

Ok thanks a lot for that - I will play around and see what I can come up with.
 
Upvote 0 Downvote
You can do a session.abandon() in your code, which will speed up the process. But since closing a browser is a client event, and not a server side, its virtually impossible to track (unless you have javascript that redirects the user to a different aspx page when they try and close the browser or navigate away from the page, which could have code to kill the session).

D
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

AhmedAzizBarbary
  • Locked
  • Question
How to pass list of checkboxes not checked on page model razor page?
Replies
0
Views
1K
AhmedAzizBarbary
AhmedAzizBarbary
WIREMESH
  • Locked
  • Question
Google Chrome Lost Session
Replies
0
Views
853
WIREMESH
WIREMESH
dvannoy
  • Locked
  • Question
Session Timeout Question
Replies
1
Views
430
jbenson001
jbenson001
G12Consult
  • Locked
  • Question
API Question
Replies
2
Views
496
G12Consult
G12Consult
engsalah2018
  • Locked
  • Question
How to get label text from table reference on database based on TableName and FieldName
Replies
2
Views
1K
jbenson001
jbenson001

Part and Inventory Search

Sponsor

Back
Top