Session_End firing too soon?

[Peter Cooper]

I'm using inproc session state, and I'm frequently (but not always)
getting a Session_End event firing as soon as a user logs on. I keep a
list of logged on users, and am trying to track how long each one has
been logged on. I'm capturing Session_End for the cases where users
don't explicitly log off. I'm using Forms Authentication, plus SSL on
the login page, and after a successful login I redirect to a non-SSL
'home' page, and nothing's done via SSL again.

The problem seems to be that at some point during the login/redirecton
process a Session_End event fires for the current event, and my
session tracking gets screwed up. I don't believe the session has
really ended, as the other web pages use a few session variables and
everything seems to be fine.

Unfortunately I can't really reproduce this on my development server
(XP), unless I set the session timeout to 1 or 2. On the production
server (2000 Server) it happens much more frequently. I'm not sure if
its connected to the SSL issue.

Any ideas?

Cheers,
Peter Cooper

 

[Hans Kesting]

I'm using inproc session state, and I'm frequently (but not always)
getting a Session_End event firing as soon as a user logs on.

Are you sure it's the session of the newly logged-in user that fires
Session_End and not a previous session that has nothing to do with
this user? You might want to check the session id of the sessions
of your user and of the session that fires the Session_End.

Hans Kesting

 

[Peter Cooper]

Are you sure it's the session of the newly logged-in user that fires
Session_End and not a previous session that has nothing to do with
this user? You might want to check the session id of the sessions
of your user and of the session that fires the Session_End.

Hans Kesting

I assign a unique session variable in the Login processing, and I'm
seeing this same session value in the Session_End event's session. I'm
not checking session IDs explicitly, but this seems to be evidence
enough.

It's almost as if something I'm doing during login processing, and/or
the subsequent re-directing from a secure page to a non-secure page,
that causes the Session_End event to be generated. Oddest of all is
that its not 100% repeatable!

To avoid browser warnings going from secure to non-secure page, I
redirect to a secure page containing only startup javascript that uses
location.replace to request the correct, non-secure page. Hard to
believe this would terminate a session via Session_End...

Peter

 

[Alvin Bruney [MVP]]

Get the full scope here
http://www.developersdex.com/gurus/articles/746.asp

 

[Peter Cooper]

Get the full scope here
http://www.developersdex.com/gurus/articles/746.asp

Alvin,
Thanks - I'll take a look.

Peter

 

[Peter Cooper]

Alvin,
Thanks for the tip. However, I've determined that the culprit in my
situation seems to be the fact that for some of my users I'm modifying
the Session.Timeout value when they log on, and this is when the
problem occurs. If I comment out this code, everything works as
expected. If I reset the timeout it causes Session_End to fire
immediately, before the current page is returned to the user. However,
the Session itself remains valid, as the values I've already added to
it remain accessible!

My current workaround is to create a StartTime session var, and check
this in Session_End to verify that this erroneous End_Session hasn't
fired. I've seen one other person report this, but no one replied to
her. Any ideas? I'm using ASP.NET 1.0, perhaps this was something
fixed in 1.1?

Cheers,

Peter