Session Times Out but still logged in with login control?

[Bishop]

I have a couple items I keep in session variables (using server memory) that
I can't pass across the address line. I've done everything I can find to
extend the sessions as long as possible but eventually the session will time
out. I didn't want to use SQL to hold my session information as this is a
single server enviroment with plenty of memory and I don't want to slow my
application down by waiting on SQL or have an additional dependency.

A new application I built uses the ASP.NET 2005 Login Controls. What I
noticed is that when I loose my session, I'm still logged in. I don't know
much about the login controls but assumed they were session based and would
vanish with my session.

So my question is, can anyone explain why I'm not loosing my login and how
it is being managed that it stays after my session is gone. Maybe I should
use another method such as SQL to manage my session information?

Thanks for any advice!

 

[Scott Roberts]

A new application I built uses the ASP.NET 2005 Login Controls. What I
noticed is that when I loose my session, I'm still logged in. I don't
know much about the login controls but assumed they were session based and
would vanish with my session.

So my question is, can anyone explain why I'm not loosing my login and how
it is being managed that it stays after my session is gone. Maybe I
should use another method such as SQL to manage my session information?

asp.net membership is cookie-based, not session-based.

Sessions can be lost for a variety of reasons. You obviously want to
minimize their use and try not to depend on things being there for long
periods of time. If you absolutely need to store user info on the server for
long periods of time, I think a DB is going to be the best way to go.

 

[Bishop]

Ah, thank you.

I tested cookies a while back but never implimented them because I was
loosing the cookie at the same time the session would expire. I know that
dosn't make much sense, maybe it is some configuration with my browser. If
didn't persue it because of that and I was afraid that many people would
have they're cookies disabled.

Have you seen simular results with cookies and any idea what percentage of
browsers have cookies disabled any more? In this particular site, I could
indicate to users that they need to have cookies enabled to use.

Hmmmm... Now that I think about it, the login controls have the "Remember
Me Next Time" option that never seems to work for me but others have
indicated that it works fine for them. Do I just have something set to
expire cookies really fast? I'll investigate on my end but would happly
take any further advice.

Thanks!

 

[Scott Roberts]

To be honest with you, I've never really looked into "cookie-less"
authentication. I think the asp.net membership might auto-detect if cookies
are disabled and automatically switch to url-rewriting. I'm not certain on
that, though.

I believe (and you might want to double-check me on this) that most browsers
support two types of cookies these days. A "session" cookie (not sure if
that's the correct term) is generally permitted under default security
settings. These cookies "expire" when the browser is closed (if not sooner)
and are generally considered harmless. The "persistent" cookies (those that
persist even after the browser is closed) are the potentially dangerous ones
and those are the ones browsers tend to block.

So the "authentication" cookie is a "session" cookie ("session" on the
client, not the server) while the "Remember Me" cookie is "persistent". The
default expiration on the authentication cookie is 20 minutes, which just
happens to coincide with the the default timeout on server sessions. This is
coincidence, they are not related. You can increase the timeout on the
authentication cookie to whatever you want, or set it to "never expire" in
which case it will go away when the browser is closed.

 

[Bishop]

That's some really good information, I will read further about all this.
Thank you very much!