locked
Question on the right way to add & remove session variables RRS feed

  • Question

  • Hi everyone,

    I would like to ask on what is the right way add or remove a session variable.

    Currently, I add session using:
    Session.Add("variable", dataset.Tables[0].Rows[0].ItemArray[0]);

    And remove session using:
    Session.Remove("variable");

    Is that the right way to do it?

    I actually have a page which restricts certain roles to view (for example, a page where sales department people can view, but those from production department cannot/no suppose to view)

    Thus I code it in a way when people with sales_dept role enter the page, they see the contents;
    when people with prod_dept role enter the page, they see a "you are not authorised" message.

    However, here's the problem - when people from sales_dept view the contents on the page, and then they log out from the system.

    Without closing the browser, if I logs in using prod_dept role and directly type the URL on the browser to go to the webpage, I can still view the contents.

    But after I refresh the page, the "you are not authorised" message will be displayed.

    I wonder what cause it to be so insecure, is it because I used the wrong way to keep track of my sesssion or is it that I didnt drop it properly?

    Please advice! All help would be appreciated!

    Please pardon me for my bad english.

    Thanks!

    Best regards,
    Wen Bin
    Friday, January 16, 2009 5:41 AM

Answers

All replies

    • Proposed as answer by Harry Zhu Wednesday, January 21, 2009 2:57 AM
    • Marked as answer by Harry Zhu Thursday, January 22, 2009 8:37 AM
    Friday, January 16, 2009 5:58 AM
  • Hi,
    There could be two reasons.
    1. You haven't set the Session.Timeout Value
    2. The browser is caching the Web page.



    • Proposed as answer by Harry Zhu Wednesday, January 21, 2009 2:58 AM
    • Marked as answer by Harry Zhu Thursday, January 22, 2009 8:37 AM
    Friday, January 16, 2009 7:45 AM
  • Hi Akshay

    Thanks for sharing that wonderful article with me~

    However, it seem too complicated for me, I'm not that expert yet, I'm just using a quick & simple way to do it, and I'm not using ASPNETDB.mdf database as well. I don't have much time to focus on this, thus would hope to probably change a bit of my code or add in some stuffs to make it catered for that. :)

    Thanks!

    -------------------------------------

    Hi MakubexTheFox

    Thanks for the help!

    1. Where could I set the Session.Timeout Value? And where should it be set at? In the web.config file?
    2. How can I check whether it is cached by my browser? Is there a way to not let it be cached by the browser? Or else it will be quite unsafe in a sense once it's hosted to a server...

    Please advice! :)

    Thanks!

    ---------------------------------

    Best regards,
    Wen Bin
    Monday, January 19, 2009 12:57 AM
  • this is how i "kill" a session:

     Session.Clear();
     Session.Abandon();

    Never stop learning.
    • Proposed as answer by Harry Zhu Wednesday, January 21, 2009 2:58 AM
    • Marked as answer by Harry Zhu Thursday, January 22, 2009 8:37 AM
    Monday, January 19, 2009 6:01 AM
  • Hi converscient,

    What's the difference between Session.Clear() and Session.Remove()?

    And doesn't Session.Clear() needs any argument? Like Session.Remove comes with Session.Remove("variable")

    Does that mean Session.Clear() clear away all the sessions?

    Thanks.

    Best regards,
    Wen Bin
    Monday, January 19, 2009 7:20 AM
  •  

    Hi,

    For the
    discussion relating to asp.net ,please post at http://forums.asp.net/.

    Thanks,
    Harry

    Wednesday, January 21, 2009 2:56 AM