Major Session problem - urgent help needed please

[LauraCairns]

In my Global.asax I have been using it to set the session variables however when I close the browser window and open up a new window I am still able to access pages as if I am logged in. This is a major security problem obviously and i'm not sure if its something which I have done wrong or an IE problem. Should I clear the session variable somewhere else in the global.asax. Can anyone suggest here I might have gone wrong.

protected void Session_Start(Object sender, EventArgs e)
{
// login info
Session["UserID"] = "";
Session["Company"] = "";
Session["VacID"] = "";
Session["VacChangeID"] = "";
Session["AppID"] = "";
Session["AccID"] = "";
}

protected void Session_End(Object sender, EventArgs e)
{
// on session end, redirect to home page
Response.Redirect("index.aspx");
// clear all session variables
Session["UserID"] = "";
Session["Company"] = "";
Session["VacID"] = "";
Session["VacChangeID"] = "";
Session["AppID"] = "";
Session["AccID"] = "";
}

 

[Mike555]

Can you try replacing "" with 'Nothing'?

// on session end, redirect to home page
Response.Redirect("index.aspx");
// clear all session variables
Session["UserID"] = Nothing;
Session["Company"] = Nothing;
Session["VacID"] = Nothing;
Session["VacChangeID"] = Nothing;
Session["AppID"] = Nothing;
Session["AccID"] = Nothing;
}

--
Regards,
Mike

 

[LauraCairns]

No it doesn't accept the word Nothing. Any other ideas

 

[Mike555]

Maybe...
Session["UserID"].dispose;

--
Regards,
Mike

 

[jn03]

Session_OnEnd is only fired when the session.abandon is called, ie when the session is ended. Closing the browser doesn't end the session since that action happens on the client side, so there is no way the server can tell, as a result your session is still there...

 

[dace]

As jn03 said, what you're trying to do isn't really possible. There's no way for the server to know when a person closes their browser because HTTP is stateless.

What I would recommend if you're worried about security would be to implement a standard security solution, such as ASP.NET Form Authentication. You can just search for info on it, it's fairly easy to set up - the main idea is to set

 <authentication mode="Forms">
  <forms name="MyAuth" 
       loginUrl="yourentrypoint.aspx" 
       protection="Encryption"
       timeout="20" <!-- timeout in minutes-->
       path="/" >
  </forms>
  <authorization>
      <deny users="?" />
   </authorization>

in web.config. This will handle your authentication for you in a clean and reliable fashion.

Two other things you could do would be to set

Response.Cache.SetCacheability(HttpCacheability.HttpCacheability.ServerAndNoCache);

so that the client does not cache the page, and to decrease the value of the timeout element of Sessionstate (also in web.config).

 

[dace]

As another note, all web applications have this problem - it's good programming practice to always provide a Log Out button somewhere visible (which could then perform the session cleanup code you have). The onus is then generally placed on the user to make sure they log out to protect their own data.