Ending "session" 2

[schase]

I use cookies to store information on a user - which now makes me wonder if it's the best method to do so - at any rate. I would like for the individual's session to auto log out after x number of minutes.

I'd guess global.asa but the last time I tried to do this - it never really ended the session whether I closed the browser, or didnt touch anything for over an hour.

Any ideas? "Damn the torpedoes, full speed ahead!"

-Adm. James Farragut

Stuart

 

[cuedog]

In the global.asa file you can set the session to end after so many minutes. I believe its Session.Timeout=3000 which is 5 minutes in total seconds.

 

[jlgdeveloper]

In order to use session info, you would have to log them in first. (unless you are password protecting the pages and remove the iuser_machineName person and set the server properties correctly - challenge response, no anon users)

example at the very start of every secure page, before html is written:

if not session("authorized&quot then
response.redirect("logon.asp&quot
end if

then in the logon page, present them with the logon question or criteria, submitting this info to another page for evaluation ie:

check password against a database, the visitors cookies etc.

If they pass, then....

'allow the user to have access to the pages
session("authorized&quot = true
'send them somewhere
response.redirect("default.asp&quot
'else back to logon.

Hope that helps.

The other way I mentioned is if you do not allow the general public to the site, and use domain security.

Jonathan Galpin

http://www.keen.com/categories/categorylist_expand.asp?sid=5215353&gid=0&pmode=0

 

[schase]

Thanks guys, and my apologies, I was a vague in my post.

Restricting access - no problem got that covered,

but where I am using cookies more than session variables - will an on event in global.asa be sufficient to end a person's session (i.e. they leave their computer for longer than x minutes on my site) - it will log them out.

"Damn the torpedoes, full speed ahead!"

-Adm. James Farragut

Stuart

 

[cuedog]

Let's say a person logged into your page and then did not click for 10 minutes. The server has closed their session. You set the timeout session for 5 minutes. They still have the page up but when they click refresh or enter information and try to submit it, with the script jlgdeveloper wrote for you "if not session("authorized&quot the user will be sent to the login page as if they were a new user. As far as the cookies go you should not give them an expiration date. Hope this helps and excuse me if you knew this.

 

[jlgdeveloper]

Sorry I was torpedoed.

Another thought, set a meta tag with the expires attribute to say now + 5 minutes and see what happens. I would need to research it to give you the exact code. Something like <meta expires= .... in the header. The session variable is very robust though. The meta tag would only force them to refresh. You can of course use a meta tag to continuosly refresh a page. I can find that code if you want it.

Dam those Torpedoes! Jonathan Galpin

http://www.keen.com/categories/categorylist_expand.asp?sid=5215353&gid=0&pmode=0

 

[schase]

lol @ torpedoed

Good points on both - I didnt know to not set an expiration date - actually at first I figured it'd be cool, remember me and all that. But I need the security more than coolness.

I'm guessing no expiration will last only during a session then?

And the meta's a good point too - maybe where session on end does not always work properly - both would be better.

hmmm thanks guys. &quot;Damn the torpedoes, full speed ahead!&quot;

-Adm. James Farragut

Stuart