user_id as session variable

[JT]

the application i'm working on stores user_ids as a session variable. many
stored procedures throughout the application accept this user_id as a
parameter. the problem is that often times a user's session will expire
without them knowing it (like if they left their browser open for 2 hours
without doint anything.) then when they go to execute a stored procedure
that accepts session("user_id") as a parameter, the sp will fail and asp
errors will get written to the screen. i'd like the application to be a bit
more graceful than that. is there a way to somehow configure the webserver
to detect when a user's session has expired?? and if so then redirect them
to the login page so that they can begin a new session.. i think that this
problem could be solved had the .dlls for db connectivity been written to
correctly handle the error of a procedure trying to execute with a paramter
missing.

to get a better feel for the problem this is what is going on - -
normal working conditions - user executes the following from asp
'exec spGetAccountInfo 12345, 73' --where 12345 is the account number being
retrieved, and 73 is a user id.

now if the session has expired the following would be attempted to run
'exec spGetAccountInfo 12345,'

so basically what is the proper way to handle this???

tia
jt

[Aaron Bertrand [MVP]]

> without them knowing it (like if they left their browser open for 2 hours

> without doint anything.) then when they go to execute a stored procedure
> that accepts session("user_id") as a parameter, the sp will fail and asp
> errors will get written to the screen. i'd like the application to be a
> bit
> more graceful than that.

So, at the top of each page (e.g. in an include),

if clng(session("user_id")) = 0 then
response.redirect("login.asp")
end if

Also see [url]http://www.aspfaq.com/2265[/url] for an approach to warning people before
their session expires.

--
Aaron Bertrand
SQL Server MVP
[url]http://www.aspfaq.com/[/url]

[J. Baute]

"JT" <jt@nospam.com> wrote in message news:<ewEW8WfLEHA.1144@TK2MSFTNGP12.phx.gbl>...

> the application i'm working on stores user_ids as a session variable. many
> stored procedures throughout the application accept this user_id as a
> parameter. the problem is that often times a user's session will expire
> without them knowing it (like if they left their browser open for 2 hours
> without doint anything.) then when they go to execute a stored procedure
> that accepts session("user_id") as a parameter, the sp will fail and asp
> errors will get written to the screen. i'd like the application to be a bit
> more graceful than that. is there a way to somehow configure the webserver
> to detect when a user's session has expired?? and if so then redirect them
> to the login page so that they can begin a new session.. i think that this
> problem could be solved had the .dlls for db connectivity been written to
> correctly handle the error of a procedure trying to execute with a paramter
> missing.
>
> to get a better feel for the problem this is what is going on - -
> normal working conditions - user executes the following from asp
> 'exec spGetAccountInfo 12345, 73' --where 12345 is the account number being
> retrieved, and 73 is a user id.
>
> now if the session has expired the following would be attempted to run
> 'exec spGetAccountInfo 12345,'
>
> so basically what is the proper way to handle this???
>
> tia
> jt

You might want to consider not using sessions at all, as they aren't
good for scalability reasons.

If you're storing only this user_id in your session, and store all
other session related data in your database, you could store this ID
in a cookie, and set it's expiration date to eg. a few days or
"infinite" time, which will give your users considarable time to
finish whatever they where doing.

It would be wise to encrypt this user_id when stored in that cookie of
course, otherwise it would be too easy to abuse it.