Session.Abandon Problems

[Dynapen]

Here's the deal. I have a web site using ASP, where when a member logs in and i verify him i want to use the Session.SessionID to reference the record in the database that controls his access. Inserting the Session.SessionID value into the DB is easy, and referenceing it to check his access was easy as well. The problem is on the logout screen.

I have a button on the top of my page that runs the following VBScript

<script language=vbscript>
sub btn1_onclick
document.location=&quot;logout.asp&quot;
end sub
</script>

The logout.asp file only has three steps.

<%
Session.abandon
SQL=&quot;update table set ID = null where ID=<%session.sessionID&>;&quot;
myconn.execute(SQL)
response.redirect &quot;../default.asp&quot;
%>

This way is should tell the server to kill the session, to remove it from the DB table that stores it, and then redirect out to the main page. Now becuase the Session object isn't actually killed until all the other script on the page finishes, this should all work.

But here's the problem. When I response.write the session.sesionid on the defualt.asp page that was just loaded, it still shows the same Session.sessionid that I had in the database. Shouldn't it have killed that session, and started a new one?

Is there something here that i am missing?


Thanks in advance

 

[lobstah]

i found the following info at:

http://www.windows-expert.net/faq/IIS/Session-abandon-and-session-id.asp

Question:

I call Session.Abandon after a person completes an order. The users session is expired and they have to relogin. Great! The issue is that the sessionID stays the same. From what I understand, this is suppose to change every time a new session is created. Is this true?

Answer:

Session.Abandon only releases the memory used by session variables and frees the server resources used by that session. Session ID is stored on the client side (as a cookie) and is unaffected by the Abandon method. As such, the session effectively restarts, but retains the session ID.

 

[Jonax]

Apart from that, one would think that if it worked properly you should update the db before abandoning the session... This is not a bug - it's an undocumented feature...
;-)

 

[lobstah]

i just did an ultra simple test:

default.asp

<%
response.write &quot;SessionID = &quot; & session.sessionID
%>
<a href=&quot;logout.asp&quot;>Logout</a>

logout.asp

<%
Session.abandon
response.redirect &quot;default.asp&quot;
%>

and each time the default.asp page loads, the sessionID is incremented by 1......

 

[Dynapen]

lobstah-

What happened in your test is what everything i have read says should happen. The Session.SessionID is destroyed with Session.Abandon, and is recreated when the by the server where it reloads defualt.asp.

But why does it work on your test, and not on my server? The coding between the two is almost identical. If it did what your test did, then they couldn't even use the back button to get back in because the new sessionID wouldn't be found in the database......

Help please.

 

[lobstah]

are you sure you're getting in the logout script?

could you add what i put in blue, to see that you are indeed getting there, and not getting back to default.asp by some other means?

<%
Session.abandon
response.write &quot;<br>session.abandon, SessionID = &quot; & session.sessionID
break
SQL=&quot;update table set ID = null where ID=<%session.sessionID&>;&quot;
myconn.execute(SQL)
response.redirect &quot;../default.asp&quot;
%>

 

[Guest_imported]

Tried lobstah's ultra simple test and got Dynapen's results....
Any way to kill the cookie and re-create?