User-1283624616 posted
Hi all,
Summary: How does one check for an active session without re-setting the Session.timeout?
classic asp iis6
I'm revamping a session timeout scenario. Previously if the user timed out while viewing a page the page would remain on screen. If they then clicked a link on that page which requires going to the server they'd be prompted to (re-)login
for access.
The revamp is to not leave the timed-out page visible, but direct the user to a "you're logged out" page as soon as the session times out.
The problem seems to be that the very act of checking the session, re-sets the timeout of the session, via the following executed on the server:
<% if Trim(Session("ID"))="" then
return false
%>
which is in a Sessioncheck.ASP called via:
<script language=javascript>
setInterval("StillinSession()",5000)
function StillinSession()
{
var request=false;
xmlhttp=new XMLHttpRequest();
xmlhttp.onreadystatechange=function()
{
if (xmlhttp.readyState==4 && xmlhttp.status==200) // is 200 really needed?
/* code removed for brevity in forum */
/* sessioncheck.asp returned a dead session */
window.location="URLoggedOut.asp"
}
}
xmlhttp.open("POST","SessionCheck.asp",true); // POST here not GET (most mca calls:GET
xmlhttp.send();
}
</script>
so if the timeout is set to 20 minutes, and SessionCheck.asp is run every five seconds, the timer is set back to 20 minutes every five seconds because sessioncheck.asp refreshes the session each time it executes.
An alternative: logging users to a DB table doesn't work because their sessions are not fixed -- as long as they're active, the session must stay active.
What am I missing? any ideas? thanks
