Session won't abandon?

[JMik]

Hello everybody,

I'm kind of new to ASP, although I've been a VB programmer for a while now, and there's a little thing that's really bothering me, so maybe someone can help me out:

I have this ASP page, which relies on sessions. When someone clicks on a given link, the page calls itself with a URL parameter to trigger the abandon session. That works great, and the message that the session has been abandonned appears. However, if I then return to the previous page and even click refresh, the session is still alive and well and everything appears to be as before. So what gives, am I missing something?

Thanks in advance,

JMik

[JoshT]

By re-requesting the page from the web server, you are beginning a new session.

Josh

[compuGEEK]

Hi,

In addition to session.abandon, I would set the session variable = " "

Good luck!

CG

[sebs]

Try:


session.expires=0


it will never be store in the cache of your browser

is that what you need!!

[JMik]

Hey Guys,

I want to thank everybody for their help, but unfortunately, none of this seems to work:

JoshT:
The whole problem is, it's not starting a new session. The session ID remains the same, despite the fact that the session.abandon was triggered during the last operation.

compuGeek:
I'm not sure how I would go about doing this, since Session = "", Set Session = Nothing and Session.Value = "" all seemed to be invalid operations. What did you mean exactly?

sebs:
"Expires" doesn't seem to be a valid method of the Session object. Could you explain that a little more?

Thanks again guys,

JMik

[compuGEEK]

You can try:

Code:

session("NameofSessionVar") = " " 

-or-

session("NameofSessionVar") = NULL

-or-

session.contents.remove 'NameofSessionVar' (sans the quotes)

[sebs]

sorry, i meant
response.expires = 0

sorry, it will work!

[JMik]

Hello again everybody,

Sebs, expiring the page didn't seem to have any effect either, which is getting very puzzling.

CompuGEEK, I'm not using session name variables in the way you describe, which leads me to believe that maybe I don't understand this whole session thing at all. This is the way I currently have it set up when a user visits the page:

1) The page checks the current Session ID value and compares it to the value stored within the user's cookie.

2) If there is a match, brings the user to the main page.

3) If not, presents the login page. Once the user logins successfully, the current session's ID is stored in the user's cookie and then goes back to 1.

So, given this system, I don't see why I would need to use session name variables... Unless I'm missing something?

Thanks to everyone for their help,

JMik

[compuGEEK]

JMik,

But how are you initializing your session ID variable? Could you post your code?

Cool

CG

[JMik]

Sure, here it is... I trimmed it a bit (it was quite long), but the principals are intact.

Code:

	Function ValidLogin
	
		Dim strEmail
		Dim strPass
		
		strEmail = Request.Form.Item("Addr")
		strPass = Request.Form.Item("Pwrd")
		
		If Trim(strEmail) = "" Or Trim(strPass) = "" Then
			ValidLogin = False
		Else
		
			OpenDB
		
			If ValidEmail(strEmail) And CorrectPassword(strEmail, strPass) Then
				ValidLogin = True
			Else
				ValidLogin = False
			End If
			
			CloseDB
			
		End If
	
	End Function

	'----------------------------------------------

	Function ValidCookie
	
		If Trim(strUserID) = "" Or Trim(strSessionID) = "" Then
			ValidCookie = False
		Else
		
			OpenDB
			
			' ValidEmail is a simple function that checks to see if the user id exists in the database. Returns true if it does.
			If strSessionID = Session.SessionID And _
			   ValidEmail(strUserID) = True Then
				ValidCookie = True
			Else
				ValidCookie = False
			End if
			
			CloseDB
			
		End if
	
	End Function

	'----------------------------------------------

	strUserID = Request.Cookies("ThisPage")("UID")
	strSessionID = Request.Cookies("ThisPage")("SID")

	'----------------------------------------------

	If ValidCookie Then

	'> Valid Cookie

		' Check for url parameters
		If Request.Form.Count = 0 And Request.QueryString = "" Then

			' No Parameteres, display main page
			DisplayMainPage()

		Else
		'> Parameters were specified
		
			If Request.QueryString <> "" Then
			
				If Instr(1, Request.QueryString, "=") = 0 Then
			
					Select Case LCase(Request.QueryString)
						Case "goodbye"
							Response.Write("Goodbye!")
							Session.Abandon
						Case Else
							Response.Write("Sorry, this is not a valid request.")
					End Select
					
				End If	
				
			End If
		
		End If
	Else

	'> Invalid Cookie
	
		If Request.Form.Count = 0 And Request.QueryString = "" Then

			DisplayLoginPage()

		Else
		
			If ValidLogin Then

				'Set cookie with this session's id and user id
			
				Response.Cookies("ThisPage") = ""
				Response.Cookies("ThisPage")("UID") = Request.Form.Item("Addr")
				Response.Cookies("ThisPage")("SID") = Session.SessionID

				'Reload this page
				
				Response.Redirect("ThisPage.asp")
					
			Else
				'Bad name or password

				Response.Write("Invalid Login. Your e-mail address or password may be incorrect. Please try again.")
					
			End If
			
		End If
		
	End If

JMik

[compuGEEK]

With Session.Abandon, it's important to remember that your session variables aren't actually destroyed until the every script on the page has been processed. So, you could put Session.Abandon as the very last statement of your code.

Another way is to use a For loop using Session.Contents

Code:

<%
  For Each x in Session.Contents
      Session.Contents.Remove(x)  
    End If
  Next
%>

Anyway, I hope you're able to find a solution.

CG