clearing session via HttpModule RRS feed

  • Question

  • User1588608489 posted

    When a user authenticates to my web application, I start tracking information in their session.  The information in the session drives the look and feel, plus functionality. 

    When the user logs out of the system, I would like to dump the session.  However, I would like to clear the session using an HttpModule.  Is there a way to acheive this?

    So, I am left with these questions:
    -is this possible?
    -what event should I handle in the http module
    -what object would be the ideal object to check to determine that the user is no longer authenticated within the context of the http module
    -what object would be the ideal object to access the users session from within the http module

    Tuesday, July 12, 2005 8:35 AM

All replies

  • User704942467 posted
    Well, the easiest way to clear a Session is to call Session.Abandon() from the action the user takes to log out of your system.

    One main point to keep in mind, is to manually clear the Session from the server, it will require some sort of postback to the server.  Many people overlook this point.

    To answer your questions
    1.  Yes, it is possible, though through an HttpModule it will be difficult as your module will need to scan all incoming requests for some marker.  Why do you want to place this in a HttpModule?
    2.  PostRequestHandlerExecute - that way your users can see the "successfully logged off page"
    3.  Once the Session is attached to the HttpContext of the Module, you will have access to it.  Perhaps the best way is HttpContext.Current.User.Identity.IsAuthenticated, but this will entirely depend on your authentication scheme.
    4.  HttpContext.Current.Session will get you access to the session, but Session is not attached on all events.  Be aware of this.  I looked around for the order of the events so I could tell you at what event Session is attached to the context, but couldn't find one.

    Tuesday, July 12, 2005 6:38 PM
  • User1588608489 posted

    Hello bill, thanks for your response.

    I really dont want to use a module, but I am programming agains an already deployed portal framework that I dont want to re-compile.  The original authors of the code / portal, overlooked the fact that in their logout routine, that there might actually be items in the users session and are not clearing it, they are just dumping the forms authentication ticket and moving on. 

    Tuesday, July 12, 2005 11:56 PM
  • User704942467 posted

    I really can't think of a way to dump the Session without recompiling.  Perhaps someone else knows of a way?


    Wednesday, July 13, 2005 11:22 AM
  • User1588608489 posted

    If I write a http module in a seperate assembly, that is the only compile and deploy that is required.  The original codebase for the portal framework would still remain intact.

    Wednesday, July 13, 2005 12:19 PM
  • User704942467 posted
    Your module will wire to the PostRequestHandlerExecute event.

    In this event, you can check the cookie to see if it has been signed out of.

    //this is pseudo code ish
    HttpCookie cookie = context.Response.Cookies[FormsAuthentication.FormsCookieName]
    if  ( cookie == null ) return;

    if  ( cookie.Expires == new DateTime( 1999, 10, 12 ) )

    When FormsAuthentication.Signout is called, the Form Auth cookie is removed and a new cookie is added with the expiration date set to a date in the past.  (Exactly October, 12, 1999).  I don't know why MS picked that date, it could be the date the .NET team started, someone's kid was born, it doesn't really matter.

    I am not sure if you can call Session.Abandon() at this point in the execution, but this would be my best guess.

    Wednesday, July 13, 2005 4:11 PM