How to terminate old session in VB.Net web based application RRS feed

  • Question

  • Hi,

    I have one web based application and having login screen. Currently Once user logged into the application, then If user copy the URL after login and paste it in different tab the user is still able to access inside application. So here user able to access in both tab as logged-in. My requirement is to terminate first/old session If user logged into second session(which is created new session). User should able to login in one session at a time, not in multiple session and also when user logged into new session, it should prompt warning message to both session as account is used some other place. How to achieve this in Web based VB.Net.

    Saturday, December 12, 2020 5:58 PM

All replies

  • Unfortantly, this is not possible.

    You can logout a user – you can force and blow out the session, And in fact you can even then run code to re-log in that user under a different logon!!!

    You noted this;

    > terminate first/old session If user logged into second session(which is created new session).

    That “is” the whole problem!!! The “which is created new session” part DOES NOT occur, and you can’t make it occur!

    When the user paste in a URL?

    If the browser has you logged in, then YOU ARE using the SAME session – you do NOT get a new one! And you do not get a new session if they open up another tab.

    Even if you jump them to the logon page again?

    They STILL get and have the same session.

    If the user hits ctrl-T (or just opens a new tab).

    If they now put in a URL to the site, if you are logged in and have an active session? Well now your new tab is using that “existing” session.

    A new session is not created nor is one started.

    The session start event does not fire.

    And the logon event does not fire either.

    You can’t get nor have a “new” or “separate” session in the same browser. In fact, if they launch another copy of the browser and NOT even use a tab?

    You once again get the same session.

    You can (could) check the referring URL.

    The referring URL is where you came from. (and browser back button does not fill this out.

    I suppose you then NOT allow ANY web page without a referring URL (or one not from your site) to always have to be directed to the logon page.

    However, the above does not really help.

    Why? Well, say they paste a URL. Well, you might send them to the logon page. They login – they ARE NOW using the same session as the still open other tab anyway! (and they could just tap the back browser arrow).

    I certainly have used the “blank” or “wrong” referring URL for one of my pages.

    Turns out about the ONLY page in which you can do anything at all without a logon?

    I have a feedback page. And some users who can’t logon will in fact use the feedback page to ask for help (and not feedback!!!).

    And worse, the Feedback page is a hyper-link from the menu bar.

    So, some robot or some “spam” bot or such got hold of the URL for the feedback page.

    And it was doing all kinds of stuff, stuff like this:

    If you note in above? The user typed in the text box some JavaScript!!!!

     You have to careful, since when you re-plot the page, the browser will now just have incoming HTML and that “script”.

    So a simple re-plot can now have that page coming from the web server – and the browser “could” see that HTML as code now!!

    Thankfully asp.net text boxes have built in protection against this – but any time you take user input and re-display or render it?

    Well, you better not for example shove the above text into say a “<div></div>” element on your page and re-fresh – if you do, now you CAN will be running the JavaScript they typed in!!!

    I NOW check the referring URL for that above page. 

    Thus only MY code (and site) can open that above URL – not a cut = paste, but MORE important not some robot. So, if the reffering URL is NOT my site? then you can NOT open that URL - I simply re-direct you to the home (about page).

    The problem of course is that web land is a state-less, and disconnected system.

    While I use and love session ()?

    It is a limited system. And worse if you are on some project page, and you set the ProjectID (PK row from database) into Session().

    Well, now if you open up another page, start working on a different project – and the other page is STILL open?

    Well, you now just swapped out the ProjectID in the session – that other page now is showing say a different project – but you CHANGED the ProjectID!!

    So caution is warranted here.

    I don’t’ have a solution – and I don’t think there really is one.

    So, that new tab, and EVEN launching another copy of the Browser? you get the same session!! 

    In fact that is most of the issue and problem!! - you can't get a separate session in separate tabs, and in fact most of the time you can't even get a different session when you launch the browser again!


    Albert D. Kallal (Access MVP 2003-2017)
    Edmonton, Alberta Canada

    Sunday, December 13, 2020 9:13 AM
  • In my opinion, when you copy URL into new tab, the browser will send a “GET” request.

    In contrast, when you click a button from some form in first tab, it will send a “POST” request.

    Maybe this difference can be used to solve part of your first problems. In Web forms, see Request.Method.

    For other aspects, see also: https://forums.asp.net/.

    Sunday, December 13, 2020 11:05 AM
  • There is not a lot you can do. You might be able to figure out that the web page is FIRST time load - (postback = false). So, you still get the one and same session.

    A possible solution is outline here:

    In effect what you do is on first page load is generate a random number, and then "append" it to ALL CODE that uses the session. Eg you do this:

    iis - asp.net - session - multiple browser tabs - different sessions? - Stack Overflow

    If Not IsPostback Then
      'Generate a new PageiD'
      ViewState("_PageID") = (New Random()).Next().ToString()
    End If

    So you shove a value into viewstate.

    Now, for all "session()" code, you do this:

    Session(ViewState("_PageID").ToString() & "CheckBoxes") = D

    So you STILL using the same session(), but at least this gives you separate "set" of values for each tab page you open. however, the above is STILL somewhat of a problem, since we OFTEN use session() to pass a set of values to say the next web page. So, I guess one could pass a parameter in the URL for the next page to figure out which session "set" to use. But then again, one big bonus of using session() is we have nice, clean, great looking URL's that are not all messy and cluttered up.

    However, having looked for a solution? The above view-state trick seems to be about the best solution, and requires the "least" amount of code re-writing to get/have/separate out session() values for each tab.

    However, the above does fall down somewhat when you want to jump to the next web page in that application. The session() qualifier (our random number) would have to be passed to that next page. I not tested if view state will work for this - but the above is what I am planning to adopt, since with multiple web pages open, I have some rather high risk code that will cause some code to actually pick up the wrong data rows "PK" and values if a user does run and have multiple pages open.


    Albert D. Kallal (Access MVP 2003-2017)
    Edmonton, Alberta Canada
    Sunday, December 13, 2020 9:56 PM
  • ASP.NET issues can be discussed in the ASP.NET forums.

    ASP.NET Forums | The ASP.NET Forums

    Sunday, December 13, 2020 10:47 PM