When does a session end?

[Keith]

Hi

I understand that you set the session timeout in the Webserver procedure.  I imagined that once the timeout time had been reached (without activity) then the session would expire and reconnection would be required.

I can see that this is the case and that on expiry the NotifyDeleteSession code is executed.  But what I don't understand is why, on reconnection, the Session Id remains the same.

The session exceeded the timeout time and :

• I pressed F5 on the tab and session id remained the same
• Closed the tab, opened a new tab and reconnected and session id remained the same
• Closed all tabs in browser and restarted browser and reconnected and got a new session id

I thought it was important to understand what is happening here because if you store data based on the session Id and it doesn't actually change even though a user has reconnected (or maybe another user on the same computer) than there could be logical problems if you wanted to keep session data separate.

In other words - if the session ends shouldn't it be the same as if you'd been away for a month and reconnected and you get a new session id.  Why is this not the case?

Thanks

Keith

[kevin plummer]

Hi Keith,

There are some template options in webserver\security tab to control the sessionid on login/out in terms of being changed and deleted.

Cheers,

Kev

[Keith]

Thanks Kevin

I have 'Change session on Log In/Out' and 'Delete session on logout' both ticked.

Not sure what 'Log In/Out' means though - Secwin or terminating the browse session?

But there doesn't seem to be an option about session id if the session times out.  I am a bit surprised that the session id doesn't change if the session times out.  Any advice on that - I'll have to think about my In Memory driver records though I suppose its ok if I delete them in 'NotifyDeleteSession'.

Cheers

Keith

[Bruce]

Hi Keith,

>> 'Delete session on logout'

If you do this, it's important to make sure your "logout" button (if one exists) does not go to the login screen. And also make sure that the Login Screen does not do a call to log you out (ie p_web.SetSessionLoggedIn(0) )

In my experience it is much better to leave this option _off_ and just let the Login screen perform an automatic Logout, unless there are specific items in your session that you absolutely must have removed on logout.

>>     I pressed F5 on the tab and session id remained the same
>>     Closed the tab, opened a new tab and reconnected and session id remained the same

correct - in these cases the sessionId will remain the same, but it's a "new session" since the session data on the server has been deleted. This is because the SessionID is passed as a cookie - specifically a "memory cookie" which the browser remembers as long as it is open.

>>    Closed all tabs in browser and restarted browser and reconnected and got a new session id

yes, closing the browser destroys the memory cookies.

>> webserver\security tab to control the sessionid on login/out in terms of being changed

_changing_ the sessionID on login and logout is a good idea.

Cheers
Bruce

[Keith]

Hi

I have been investigating a circumstance when some variables do not get calculated and have another question about 'session end' and 'session start'.

In my app:

• Open browser and go to 127.0.0.1 etc and app displays all calculated variables
• Press F5 (refresh) and the page redisplays but the calculated variables are 0

I set a session variable to 1 in the 'New Session' embed point in the WebHandler which tells me that this is a new session and I need to do some preparatory calculations.  After executing the calcs I set the session variable to 0 and everything works ok.

But after F5 (refresh, but not closing the browser) my session variable remains at 0 and I don't do the calcs.  This means that the 'New Session' embed code is not triggered for an F5.

Per Bruce's comments above about the memory cookies this is understandable in that the implication is that F5 does not mean 'New Session' (but if I close the app, restart and hit F5 then it is a new session).

So, to get my logic right I need to understand what F5 means in terms of program execution and whether I can trap it somewhere so that I can reset my session variable.

Thanks

Keith

[Bruce]

>> But after F5 (refresh, but not closing the browser) my session variable remains at 0 and I don't do the calcs.  This means that the 'New Session' embed code is not triggered for an F5.

Correct. F5 is just a page refresh. It's definitely not a new session. A new request maybe, but not a new session.

>> this is understandable in that the implication is that F5 does not mean 'New Session' (but if I close the app, restart and hit F5 then it is a new session).

if you close the _server_ then all the server-side sessions are lost. So the next communication from the browser will indeed start a new session.

>> So, to get my logic right I need to understand what F5 means in terms of program execution and whether I can trap it somewhere so that I can reset my session variable.

you can't tell the difference between someone pressing F5, or just navigating to the page.
If you want to do something when the page is refreshed, then, um, do it in that procedure.

cheers
Bruce