Session state asp.net life span_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2023-03-01 09:19 出处：网络

I have read that asp.net session variable last by default 20 minutes of inactive browser.开发者_开发知识库

I have read that asp.net session variable last by default 20 minutes of inactive browser.

What happens if the user logs out and immediatly logs in? Or closes the browser and restart it? The session state "dies" ? If not- what is the alternative to make it die on evey log-out or browser closing?

Thanks

Session state relies completely on the presence of a cookie being provided by the browser for each request in the 'session'. When the server takes receipt of the cookie on each request it then checks if the default 20 mins has passed since the last request.

Therefore the answers to your questions:

What happens if the user logs out and immediatly logs in?

The cookie is marked as invalid by the server on logout and is assigned a brand new one when they log back in

Or closes the browser and restart it?

Provided the session hasn't expired it won't make any difference (as the browser will still send the cookie along with each request)

make it die on evey log-out or browser closing?

You can't make a cookie 'die' although you can set it's expired date to the past. There is no way you can detect the user closing their browser.

Whether the session remains active relies on two things:

Whether the Session is still alive on the server (your 20 minute timeout, or you programmatically abandoning the session)
Whethet the client (browser) transports the Session cookie to the server, so the session can be identified.

The Session cookies are served as non-persistent cookies, meaning that they should be maintained by the browser for one session (of the browser), so they should not be sent after you close the browser and restart it. But in reality, it is entirely up to the client browser implementation.

The lesson here: Yes, Sessions expire when the average user closes his browser. But you can't and shouldn't rely on it for anything important.

On log out you might have to clear session manually. New instance of browser should have new session.

Session.Abandon() will flush all your session. Call this when the user logs out. So every time he logout and logs in, new session will be created. Session TimeOut and Closing a browser will automatically result in a new session next time.

A session "dies" after 20 minutes of inactivity (by default), or if it was cleared by the programmer.

To clear a session, you call the Abandon method on it. Do that on logout.

There is no simple way to detect that a browser window has closed (you can use Ajax to poll from the browser, for example), since the web is stateless. However, if this happens (and no other instances of the browser are still open), when the user starts a new instance and accesses your website, he will get a new session (though the existing one will linger on till it times out).

I'm assuming when you want the user to be logged out - you want the Session to be destroyed, not just the Session Key / Value pairs to be removed.

Calling: