locked
close a specific session that have the id RRS feed

  • Question

  • User-1634295357 posted

    Dear colleagues,

    I would like your help, the case is as follows.
    On my system, when the user logs in with your username and password log, for example the user John, into your computer at 'X', I save the user's computer data, including the session variable: "Session.SessionID" in the database.
    If by any chance, that user (or another person with your login details) try to log into another computer 'Y' with the same login information of John, I identify that the same user is logging in from another machine, and try to force the end of the previous session .

    For example, i get the sessionid that I saved in my Database:

    string session = Convert.ToString(dsSession.Tables["infos"].Rows[0]["session"]);//so when the user John open the system in a another computer('Y'), the the last session (in the computer 'X') remains open, and I tried some codes to close it, since I have the ID, but nothing worked, I tried the following:

    //I try 'abandon' the 'session' that i get the id from DB with dataset above, so try this:

    Session.Abandon(session);

    //but, if in my data base the sessionid saved (of computer X) is "uyeafl0kspp2adflotwqww12", i debug this line code: Session.Abandon(session),  and the session abandoned is the current session opened (in the computer Y, so the session abandoned is 'zeswasswgf3z62qg96wqafz'), and the session opened of John in computer 'x' remains open.

    I try this too:

    Session.SessionID.Equals(session); 

    or:

    Session.Remove(session)

    // no way work.

    May have other ways of doing this, but would like to learn the way it started and ended this my reasoning.
    That is, in short, if I have the session id saved, I guess I just have the ID, and use as a string to reference it, and inform this session ID via code to remove or abandon this specifically session ID to close.

    Thanks in advanced.

    Tuesday, March 3, 2015 5:46 PM

Answers

  • User475983607 posted

    The default session type, InProc, creates is a trusted conversation between a browser and the web server which exists for some time X.  The session is identified by a cookie stored on the client's machine when a session is initially populated.  

    As your experience shows, it is not possible to affect another user's session.  That is a good thing!!!

    If you want more control over session, then use SQL server to store session state.  SQL session will allow an authorized user to delete or manipulate session IDs/records.

    https://msdn.microsoft.com/en-us/library/ms178586%28v=vs.140%29.aspx?f=255&MSPPError=-2147217396

    https://support.microsoft.com/kb/317604?wa=wsignin1.0

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, March 4, 2015 10:50 AM
  • User1508394307 posted

    Two things

    • There is no way to access other Sessions in InProc mode. You can only access the Session object of the user doing the current request (i.e. yourself), not other users Session objects. All references to Session.Abandon(session), etc are invalid as these methods do not support parameters. See documentation for each method for more details.
    • As suggested you could use SQLServer mode to store session state in a SQL Server database where you could delete it. See more http://support.microsoft.com/kb/317604

    I think you overcomplicate the problem. 

    You save SessionID in the database. So, if you need to clean/delete/etc then simply check that value on every request and delete that value from the database when required so that if value is not available then session must be abandoned. 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, March 4, 2015 11:08 AM

All replies

  • User-1151753377 posted

    Hi Angelo.net,

    According to your description, I think you should make a judgement that check whether the session state is open before you log into in Computer Y, if the session state is open, you should close it.

    Something about Starting and Ending Session, please refer to the link below.

    https://msdn.microsoft.com/en-us/library/ms524798(v=vs.90).aspx

    Regards & Summer

    Wednesday, March 4, 2015 2:36 AM
  • User-1634295357 posted

    Dear friend,

    I think you did not understand my question.
    All you said I had done: "check whether the session state is open before you log into in Computer Y " I already do this, as I say, i can get the value string of each session i desire from my Database, this is not the problem.

    the problem is to close this session from another session, because the description of the method "Session.Abandon" says: "cancels the current session"

    I'll try to explain it another way, suppose I want to create a button that I select logged in users on my system (that I already have), and by activating the button I choose which session close.

    For example i will get from my database the data of my users, imagine i have 3 fileds in my database (Username, session, datelog)

    Username / session / datelog

    John     / zqwwifafwge19qg12wqafrz   / 2015-03-03 10:52:15

    Paul     / h3onaaf3kssdfkh0yhdkafash  / 2015-03-03 10:48:00

    Ian      / pp2oçsakdfonugsgf8za2asf   / 2015-03-03 10:13:05

    Admin / asfsdlkasfdwq1mryxr2asc8sl   / 2015-03-03 10:03:00

    So I'm logged in as the Admin user in computer 'Z' and I have all the data from the other logged in users like above

    Suppose I want from my admin system in computer 'z' (which the session is "fpoclkquobq1mryxr3dnc0sl "), I want close John session
    that is "zelwisaswge3z53qg12wqozz" in computer 'Y', so if i put the code 'Session.abandon' in a button method, the session closed is the current of Admin not the John session, even if i do a reference, like:  Session.Remove(sessionID);

    because session.abandon method just close current sessions, and dont accept any arguments:

    in a dropdown, i choose these user john and after click in a button from my admin system try close the session of John.

     protected void btnCloseSession_Click(object sender, EventArgs e)
        {

    string sessionID = Convert.ToString(dsSession.Tables["infos"].Rows[0]["session"]); //here

    Session.Abandon(sessionID);

        }

    but the visual says: "No overload for method Abadon takes 1 argument"

    I want use a method like "Abadon" close close a specific session, (i have all another infos and do everything< I just need know how to close a specific session that a have value ID. But Abandon just close the current session, ie only closes the admin session using abandon method. Which method, codes i must use to close a specific session (all have all data, i just need a code to close a session that i will get from my DB)

    Thanks in advanced!

    Wednesday, March 4, 2015 8:31 AM
  • User475983607 posted

    The default session type, InProc, creates is a trusted conversation between a browser and the web server which exists for some time X.  The session is identified by a cookie stored on the client's machine when a session is initially populated.  

    As your experience shows, it is not possible to affect another user's session.  That is a good thing!!!

    If you want more control over session, then use SQL server to store session state.  SQL session will allow an authorized user to delete or manipulate session IDs/records.

    https://msdn.microsoft.com/en-us/library/ms178586%28v=vs.140%29.aspx?f=255&MSPPError=-2147217396

    https://support.microsoft.com/kb/317604?wa=wsignin1.0

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, March 4, 2015 10:50 AM
  • User1508394307 posted

    Two things

    • There is no way to access other Sessions in InProc mode. You can only access the Session object of the user doing the current request (i.e. yourself), not other users Session objects. All references to Session.Abandon(session), etc are invalid as these methods do not support parameters. See documentation for each method for more details.
    • As suggested you could use SQLServer mode to store session state in a SQL Server database where you could delete it. See more http://support.microsoft.com/kb/317604

    I think you overcomplicate the problem. 

    You save SessionID in the database. So, if you need to clean/delete/etc then simply check that value on every request and delete that value from the database when required so that if value is not available then session must be abandoned. 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, March 4, 2015 11:08 AM
  • User753101303 posted

    Hi,

    What is your session provider? With InProc for example you could mark other sessions as "invalid" and check for this when a request is done so that you call Session.Abandon when an attempt to use an old session happens. The point is that you have to use Session.Abandon from the session you want to close.

    If stored in the db you could directly do that in the db (it's a bit unclear if your session is db based or if you just track sessions using the db).

    Wednesday, March 4, 2015 11:25 AM