Session Variables to Restrict Access to Page

[RFH Reseller: carpeni]

Hi
I use session variables to restrict access to pages where I want to restrict access to secure data. However, these do not last very long and the session variable is lost - often within 15 minutes - and this causes problems when doing updates to data online. I think the variable is lost due to the frequency that the server is reset - but it happens quite frequently

Does anybody else have same problem? Any ideas of how to overcome this? Problem is I have many pages that have the code to restrict access ( code produced via Dreamweaver 4 )
Cheers
Ian

[Staff: Warren Ashcroft]

A typical session will expire 15-20 minutes after the last activity; however since the shared web servers are recycled frequently to keep them running well no session will last longer than 45 minutes and may even only last a few minutes if the session is created moments before a due recycle.

Some other session state storage method is recommended, or at least something to support the loss of a session to reestablish it.

This issue does not apply to our Premier service, where customers have the control over the recycling frequency.

[RFH Reseller: JohnnyW]

If it's asp or asp.net you can use SQL Server to store session data.

[RFH Reseller: askjim]

Storing such information in session is ok but is limited to how long a session lasts. In ASP and ASP.NET you can configure the duration of the session but the longer the time more memory is consumed.

I did not relise that the servers are recycled every 45 minutes as this could be a pain if you were trying to build an ecom site where you stored a customers basket id within the session as it could be lost if the server is recycled the next minute - the customer would not understand why the contents of their basket had been lost - and would shop elsewhere.

This means you will have to store a cookie on the customers computer and use this to identify the user and store any session related data in the database - this is not ideal as users are more likely to block cookies compared to session cookies.

Alternative is go for premium hosting.

James

[RFH Reseller: Interlogic]

I was looking at this because I was writing as Ajax Chat room to run on my site and had the same problem, I ended up using a different solution but while researching I found this page which has a great SQL based option that uses unique strings to track a users details.

http://www.4guysfromrolla.com/webtech/041600-2.shtml

It has all the required code on pages 2 and 3 to code a system to track a user as long as they are using the same IP within a given period of time.

[Staff: Warren Ashcroft]

This means you will have to store a cookie on the customers computer and use this to identify the user and store any session related data in the database

Not necessarily, you could store session state in a database or flat files (like PHP) for example - this only applies to (albeit most common) in-process session storage.

ASP.NET has native support for database session state storage and out-of-process state server storage (which we support); and its relatively easy to support other methods of session storage in ASP.

[RFH Reseller: askjim]

Not necessarily, you could store session state in a database or flat files (like PHP) for example - this only applies to (albeit most common) in-process session storage.

ASP.NET has native support for database session state storage and out-of-process state server storage (which we support); and its relatively easy to support other methods of session storage in ASP.

Hi Warren,

At work we store session state in SQL server database to allow load balancing. Such solution still requires a session cookie on the client to identify the user with the data held in the database. If the users session is terminated they will loose their session data. Therefore you would need to work round this using a more permanent cookie or put session identifier in URL - both solutions are not ideal.

James

[RFH Reseller: askjim]

I was looking at this because I was writing as Ajax Chat room to run on my site and had the same problem, I ended up using a different solution but while researching I found this page which has a great SQL based option that uses unique strings to track a users details.

http://www.4guysfromrolla.com/webtech/041600-2.shtml

It has all the required code on pages 2 and 3 to code a system to track a user as long as they are using the same IP within a given period of time.

If I am correct the user identifier is placed in the URL - this is a real killer for SEO - ePages does this

http://www.optomarket.com/epages/Opt...5b/Catalog/009

[Staff: Warren Ashcroft]

Hi Warren,

At work we store session state in SQL server database to allow load balancing. Such solution still requires a session cookie on the client to identify the user with the data held in the database. If the users session is terminated they will loose their session data. Therefore you would need to work round this using a more permanent cookie or put session identifier in URL - both solutions are not ideal.

James

Any session storage solution, including the defaults in ASP and ASP.NET HAVE to use cookies to track who owns what sessions - there is no way around this other than an ID in the URL like you mentioned which I believe ASP.NET supports to some extent.