IIS 5 & IIS 6
a revamped timeout scenario
Last post Feb 03, 2016 10:40 PM by rokosz
Jan 30, 2016 12:45 PM|rokosz|LINK
Summary: How does one check for an active session without re-setting the Session.timeout?
classic asp iis6
I'm revamping a session timeout scenario. Previously if the user timed out while viewing a page the page would remain on screen. If they then clicked a link on that page which requires going to the server they'd be prompted to (re-)login for access.
The revamp is to not leave the timed-out page visible, but direct the user to a "you're logged out" page as soon as the session times out.
The problem seems to be that the very act of checking the session, re-sets the timeout of the session, via the following executed on the server:
<% if Trim(Session("ID"))="" then
which is in a Sessioncheck.ASP called via:
if (xmlhttp.readyState==4 && xmlhttp.status==200) // is 200 really needed?
/* code removed for brevity in forum */ /* sessioncheck.asp returned a dead session */
xmlhttp.open("POST","SessionCheck.asp",true); // POST here not GET (most mca calls:GET
so if the timeout is set to 20 minutes, and SessionCheck.asp is run every five seconds, the timer is set back to 20 minutes every five seconds because sessioncheck.asp refreshes the session each time it executes.
An alternative: logging users to a DB table doesn't work because their sessions are not fixed -- as long as they're active, the session must stay active.
What am I missing? any ideas? thanks
Feb 01, 2016 04:20 AM|Jean Sun|LINK
Every time you refresh or request a page, the
Session-Timeout will be reset. In your code you request the SessionCheck.asp page every 5 seconds, the Session-Timeout will be reset every 5 seconds too.
You can find code sample about auto redirect to login page when Session is expired in the following link, please take it as reference.
Feb 03, 2016 10:40 PM|rokosz|LINK
Thank you Jean Sun. That was a good push down a path I'd started to ponder. I bastardized it quite a bit for my "frame"work, but it is a great guide.