Reputation: 36654
Session state asp.net life span
I have read that asp.net session variable last by default 20 minutes of inactive browser.
What happens if the user logs out and immediatly logs in? Or closes the browser and restart it? The session state "dies" ? If not- what is the alternative to make it die on evey log-out or browser closing?
Thanks
Upvotes: 2
Views: 2169
Answers (6)
Reputation: 499002
A session "dies" after 20 minutes of inactivity (by default), or if it was cleared by the programmer.
To clear a session, you call the Abandon method on it. Do that on logout.
There is no simple way to detect that a browser window has closed (you can use Ajax to poll from the browser, for example), since the web is stateless. However, if this happens (and no other instances of the browser are still open), when the user starts a new instance and accesses your website, he will get a new session (though the existing one will linger on till it times out).
Upvotes: 1
Reputation: 5312
I'm assuming when you want the user to be logged out - you want the Session to be destroyed, not just the Session Key / Value pairs to be removed.
Calling:
Session.Abandon();
Will destroy the Session. http://msdn.microsoft.com/en-us/library/ms524310(v=vs.90).aspx
Upvotes: 0
Reputation: 30882
Session state relies completely on the presence of a cookie being provided by the browser for each request in the 'session'. When the server takes receipt of the cookie on each request it then checks if the default 20 mins has passed since the last request.
Therefore the answers to your questions:
What happens if the user logs out and immediatly logs in?
The cookie is marked as invalid by the server on logout and is assigned a brand new one when they log back in
Or closes the browser and restart it?
Provided the session hasn't expired it won't make any difference (as the browser will still send the cookie along with each request)
make it die on evey log-out or browser closing?
You can't make a cookie 'die' although you can set it's expired date to the past. There is no way you can detect the user closing their browser.
Upvotes: 2
Reputation: 1497
Session.Abandon() will flush all your session. Call this when the user logs out. So every time he logout and logs in, new session will be created. Session TimeOut and Closing a browser will automatically result in a new session next time.
Upvotes: 1
Reputation: 164291
Whether the session remains active relies on two things:
- Whether the Session is still alive on the server (your 20 minute timeout, or you programmatically abandoning the session)
- Whethet the client (browser) transports the Session cookie to the server, so the session can be identified.
The Session cookies are served as non-persistent cookies, meaning that they should be maintained by the browser for one session (of the browser), so they should not be sent after you close the browser and restart it. But in reality, it is entirely up to the client browser implementation.
The lesson here: Yes, Sessions expire when the average user closes his browser. But you can't and shouldn't rely on it for anything important.
Upvotes: 2
Reputation: 13399
On log out you might have to clear session manually. New instance of browser should have new session.
Upvotes: 1
Related Questions
- Understanding ASP.Net session life time
- how to maintain session state as long as possible with asp.net 4.0
- For how long are session values available in state server mode in asp.net
- Can ASP.NET session live longer than Application
- ASP.NET Session State
- ASP.NET session object lifetime pessimistic assumption !
- ASP.NET Session Expiration
- Session State expiry in ASP.NET
- asp.net session state
- Session Timeout ASP.Net