Reputation: 123
Classic ASP and session Timeouts - keeping track of the session timer?
I've been stuck on this problem all week and I'm more than annoyed at the fact that I have to fix this application to meet the security policies the company I work for has... anyways...
I am trying to keep track of a session in a Classic ASP web app. I am able to set the session.timeout as well as a session variable in the session_onstart sub of my gobal.asa file. It works just fine:
Sub Session_OnStart
Session("LoggedOn") = true
Session.Timeout = 5
End Sub
Next, on one page (to test out a solution to this problem), I have implemented akiller's solution from here.
I needed to modify the code to look like this:
session.asp
<%
Response.ContentType = "application/json"
If Session("LoggedOn") = true Then
Response.Write "{""loggedOn"": true}"
Else
Response.Write "{""loggedOn"": false}"
End If
%>
and:
<script type="text/javascript">
$(document).ready(function () {
var checkLoggedOn = function () {
$.getJSON('session.asp', function (data) {
if (data.loggedOn = false){
alert(data.loggedOn);
//Need to get alert working when session time expires before redirect can be used.
//window.location.replace("http://stackoverflow.com");
}
});
};
// Call checkLoggedOn every x milliseconds
setInterval(checkLoggedOn, 30000);
});
</script>
Now, what I need to do is find out how to check how much time is left before the session expires. While I can use Javascript code to run a checker like the one above client-side, the time left in the session MUST be checked from the server (to prevent hacking of sessions client-side).
So here's the final steps of what I'm trying to accomplish.
- Trigger a Session.Abandon when session expires (server-side)
- Set Session("LoggedOn") to false in the Session_OnEnd event in global.asa
- session.asp will return false as a result
- redirect the user where they need to go.
Thanks,
Nick
Upvotes: 1
Views: 3009
Answers (2)
Reputation: 123
Ultimately, it was decided that it wasn't worth upgrading this project and we're going to keep it on a domain that can only be accessed internally so security fixes are not required.
Upvotes: 0
Reputation: 576
Short answer: see this comment by Lankymart.
More detailed answer: you can't do what you want.
Each time when you a request page when current session is alive, ASP will automatically prolong session lifetime on
timeoutvalue assigned in this page. In this case, session will live until IIS is restarted.Setting any values to Session collection in
Session_OnEndis meaningless: after this event completes, ASP will destroy all Session collection object and remove SessionID from ASP process.Remember, that calling
Session.Abandondoesn't call eventSession_OnEndimmediately: see MSDN http://msdn.microsoft.com/en-us/library/ms524310(v=vs.90).aspx
Upvotes: 3
Related Questions
- Get time left on session until timeout
- Session.Timeout not working correctly in ASP Classic / IIS
- ASP session expiration before timeout setting
- Is it possible to detect a session timeout?
- Session Timeout: Can I Perform Any Actions on Timeout?
- ASP(classic)/IIS 7.5 - Can you check if Session has timed out without refreshing the session?
- Design Classic ASP applications to detect session expiration dynamically
- ASP.NET: Maintain variable value after session expires
- Checking if Session has Timed Out
- ASP.Net Session Timeout Scenario