Jump to content

Session.Timeout Help


johnnyg24

Recommended Posts

If you want to create a session for an individual page just set the session.timeout in that page.

<%@language="vbscript"%><%Option explicit%><%Session.Timeout = 10 ' Or some other value%>

Link to comment
Share on other sites

Welcome :)About the altered session, I'm not really sure but I already test it 10 minutes ago. :) Here some workflow. <_< If Global.asa is set with Session.Timeout = 20If PageA.asp is set with Session.Timeout = 25If PageB.asp is set with Session.Timeout = 30If PageC.asp is not set.If only PageA.asp executed, the session will be 25 minutes.If only PageB.asp executed, the session will be 30 minutes.If only PageC.asp executed, the session will be 20 minutes.But :) If PageB is executed first, the session will be 30 minutes.Then you execute PageC.asp, the session will be also 30 minutes.Thus I think that even you change a session at a page, other page that doest't set with session.timeout will follow the session state of the previous page. :( You can use session.abandon() to restore to the default timeout state before procede to other page. :) The session.timeout itself is a property. It differ from the response.cookies that had path and domain as it properties. So the session.timeout is a global method. :)

Link to comment
Share on other sites

Thanks Fiq,I think to play it safe, I will only set the timeout once in the global.asa. I currently don't have any need for different session.timeouts.What about setting the timeout in IIS default settings? Will this override the Global.asa or will the Global.asa override the IIS settings?

Link to comment
Share on other sites

Welcome. Good decision. It is better to play it safe because if the session is always altered it will give a problem to the users.OK. Here the situation.The IIS is a platform or a web server application and set of feature extension modules created by Microsoft for use with Microsoft Windows. In IIS, you can create a lot of domain, mainly in website hosting package industry. The IIS will set the default setting for all domain in the server.If you own a server, you can set all the applicable setting insted using Global.asa.If you use a hosting package, there is no way you can change that setting. So the only way to change those settings by using Global.asa.Some example here.

  • You own server A.
  • You have somesiteA.com, somesiteB.com and somesiteC.com in the server A.
  • You can set the timeout in IIS because you want all domain have the same timeout=30.
  • But somesiteC.com need more timeout where timeout=40 while somesiteA.com and somesiteB.com use the same timeout as set in the IIS which is timeout=30.
  • So you use Global.asa, set the timeout=40 and place it in somesiteC.com

So there is nothing override nothing. The flow is simple.If no Global.asa.User start browse (start application) >> Request Procedure occur >> Request IIS >> Registry - Global.asa enable >> Request Global.asa >> No Gobal.asa >> Request IIS >> Send to User.If Global.asa exist.User start browse (start application) >> Request Procedure occur >> Request IIS >> Registry - Global.asa enable >> Request Global.asa >> Send to User.In hosting plan or package, a lot of provider disable the registry of global.asa to avoid network attack such as hacker and virus.Actually, the question that you asked is about server. I'm not standard qualifiable to advice you with this problem. So make sure you ask someone professional about this, after this.About the session.timeout, the session is mainly used in an internal website system or application such as registering a user or logging in a user. It is best to look in from the base of the security purpose.As an example.

  • A visitor fill a registration form.
  • The visitor click the submit button and the information is sent to the script to be added to the database.
  • A form that have a lot of information may need a long period to complete the AddNew procedure depend on the network traffic and the user connection
  • So you already set the timeout in the script where the timeout=10 for idle.
  • So if the procedure of adding to the database is exceed the limit of the timeout, you will get the session expired page.
  • This method is to prevent the network attacker from altering the data that being processed while submitting the data.

In other view, the session may be needed to be added in the upload form. Big data to be uploaded need a lot of time. So make sure to set the timeout as needed. If you use the timeout, make sure to set it to the default timeout after every procedure. If your global.asa set timeout=20, the set it back to 20 after completing any procedure that you use timeout.If there is no other session object to be use or you want to ignore others session object, you can use the session.abandon() property that will burn all the session and set any applicable default session to the default state.That all that I have and the best that I can give you. :)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...