for a secure web application , How to clear an item in server Cache on Browser close.
You could try using the Session object and use it Session_End method to detect when the session is over and then do the cleanup.
More info about the session object you can find here - http://www.codeproject.com/KB/aspnet/ExploringSession.aspx
I'd use a small timeout so that the cache will clear almost immediately when the session is over. I might be wrong here - so if any one can help, it would be appreciated.
Good luck!
Related
I'm currently generating a WindowsIdentity object in my MVC application and I'd ideally would like to cache it so I won't be hitting the AD on every request; The problem is that I often get the exception: "Safe Handle has been closed"
I've read somewhere that this error pops up because after the request ends, IIS closes the handle of the thread principal (in this case a windows principal that I instantiate using the cached windows identity).
Cutting to the point, should I be caching this object? is caching the token a better idea? Or should I give up on the idea of caching any of those?
Thanks in advance!
If you are using LogonUser to create Windows tokens - there is already some optimization and caching going on in the Windows kernel.
I would stay away from trying to optimize that, and as you already noticed, you should leave handle management to the OS.
I am new to WCF and trying to accomplish a few things in terms of session management:
I would like to get an event on the server when a new session is opened/created.
I would like the ability to either close all open sessions, or get a list of open sessions and close specific ones (on the server, of course).
How would I go about doing this? Google has been surprisingly unhelpful...
The answer is going to be a lot of "it depends". Some of the bindings are not session aware. Something like BasicHttpBinding for example doesn't do sessions on its own, but if you enable ASP.net compatability mode you can get ASP.net's session management to work. You will then be able to use Session_Start and Session_End in global.asax to do what you want when sessions are opening or closing.
You should look at the binding you're using and see if it has some kind of session support built in, because some of them do.
If you're doing authentication, you could also imitate a session management system by mapping requests to authenticated users and storing the session record in the database.
I will say that in any case I'm not sure what "closing" a session is going to get you. Unless you're also locking the user out somehow, the next request will just immediately start a new session if the previous one was ended. Maybe if you explain what goal you want to accomplish (and why) we can be of further help.
I agree with Tridus's answer on this. You can use Session with WCF services by enabling ASP.NET Compatibility Mode.
Check http://msdn.microsoft.com/en-us/library/aa702542.aspx for an initial reading. Keep in mind - Services are supposed to be stateless by principle.
I have a method I need to run on Session_end. Is there any way I can ensure the code runs when a user closes his browser? This may be a dup queston. I saw one response doing a call to ajax unload or something, but I don't want this to fire everytime a user navigates away from a page, just when they close their browser.
Thanks,
~ck
Simple answer: You can't control user's browser. The AJAX solution you mentioned is the closest you can achieve (without a plugin/custom client.) Imagine some Web site could track every time you opened and closed your browser window. Don't you think it would be a privacy issue?
The truth lies in the stateless nature of HTTP. The Web server is out of the picture as soon as it finishes sending the response to the client. After that, all you can rely on is a client side script (which only executes because the client wants it to; and it can easily choose not to run scripts.)
Session_end is unreliable. No matter what you do.
Session_end only fires when you are using inprocess session. If you are using a session state server or SQL session, session_end does not fire.
When using in process session, session_end only fires if you have stored something in session. If you aren't using session, session_end will never fire.
If you are using session and the user closes the browser, session_end will fire when the users session times out. While it will have some of the same settings as the original session, this event will not be tied to a browser since it is the worker process detecting the session timeout and firing the session_end process.
I would like to be able to use the same Session variable when transferring to another app.
Does Response.Redirect use the same session or start a new one?
I am using c#, aspnet 3.5
Response.Redirect does nothing with the session. The session is tied (typically) to a cookie associated with the URI of the web app. If you switch to another web app on another server or a separate URI, the session will not carry over even if you managed to preserve the cookie.
Can you clarify what problem it is you're trying to solve?
Response.Redirect sends an Http Response to the browser with a status code of 302 Found and a header Location: {redirection-url}.
The browser receives this response, and knows to send a new request to the {redirection-url} when it receives a response with a status code of 302 Found.
That's all that happens.
Response.Redirect does not start or stop or have anything to do with any sessions.
It uses the same session.
EDIT: That is assuming the new URL would have used the same session anyway.
If you are trying to access session variables from a different app then thats not going to work as far as I remember. Session variables are only valid within the one app.
If you are trying to just redirect to another folder within the same app then the session variables are available.
If the two apps are indeed separate you could look at storing the session objects in a database and passing the sessionID to the new app using either a POST or a url parameter, however, neither of these are very secure and leave the app open to hacking without proper care being taken to ensure the users identity.
How to investigate what is causing Session expiry?
I would like to give some advise to end-users who have the following problem with our website:
If Session("xxxx") Is Nothing Then say something.. WHY??
Can I add something to web.config to make sessions last longer or should I read the IIS log files to see why this happens?
First session's are configured in web.config's <sessionState> element.
Also you can pick up session ending event (SessionStateModule.End) but note (1) this only works for in-process session management, and (2) you will need to record (in the session) when requests occur, so you can determine if it was a timeout or some other reason.
I think normally if a user does nothing for a period of time(no page refreshes etc) then the session will expire, otherwise it would just consume loads of resources on the server.
In classic asp there was a timeout you could set, not sure if its still there in asp.net or not.
If you don't want the session to expire while to user is looking at your site you could maybe put a meta refresh into your pages, or be a bit cleverer and use some kind of ajax timer that triggers and does a partial refresh on something
You could put some code in your Global.asax file's Session_End method to help determine what went wrong, assuming you're running your session as InProc.
To increase your session length in IIS6, do the following:
Open IIS
Right-Click your website and choose properties
Choose the Home Directory tab
Click the Configuration button, in the Application Settings section
Choose the Options tab
Increase the Session Timeout value to whatever you want.
Close everything and do and IISReset