Asp. NET without flush perform session authentication

In writing a customer's B/s structure application, suddenly found a skill, do not know whether it is a bug, to the relevant research friends originally considered to write a check session class, after the session expires, must turn to the landing page, can each call the class of the page, In different web paths, so the URL to the landing page is different, each page to call and set the landing page path, so the actual application to give up the idea later consider to write a check session invalid page, by the client every second refresh, you can call in a page, But by frame embedding the aspx old when there is a request sent, not too good-looking, Although the page is hidden. Then, think about it, use a page, using no refresh technology, to request the page of the expiration session can be, here the non-refresh technology using the XMLHTTP object, not using WebService technology. (because the customer's BS system, using frame frame, the topmost page is to display the software name, the user login information, so the call is placed on the page).

Let's take a look at the code, primarily the client's JavaScript script program

<scriptlanguage= "JavaScript" >
varidx=0;
Functionchksession ()
{
Varhttp=newactivexobject ("Microsoft.XMLHTTP");
Http.open ("GET", "chksessionout.aspx", false);//Check the page where the session is invalid
Http.send ();
varstr=http.responsetext;//return results after aspx execution
idx++
document.all ("ConvertResult"). Innerhtml=str+idx;
if (str== "Notnull")
{
alert (str);
}
Else
{
Alert ("Session value tracking time timed out, log on again ...");//This code has not run, look down, you know
Location.href= "Longin.aspx";
}
Window.settimeout (' chksession () ', 1000);//Every second, request once chksessionout.aspx
}
</script>

This code, I put in between the <HEAD></HEAD> tag, and then when the body is loaded, call the function, as follows:

<bodyonload= "Chksession ();" >

ChkSessionOut.aspx.cs code as follows chksessionout.aspx the HTML tags in the file are all deleted by me, so that the following code, only the output of the results

Privatevoidpage_load (OBJECTSENDER,SYSTEM.EVENTARGSE)
{
if (session["sUserID"]==null)
{
Response.Write ("IsNull");
Return
}
Else
{
Response.Write ("Notnull");
Return
}
}

To test the above procedure, I changed the contents of Web. config to change the session setting to a part of the Web. config file after one minute, set the place for the session to expire after one minute, as follows:

<sessionstatemode= "InProc" stateconnectionstring= "tcpip=127.0.0.1:42424" sqlconnectionstring= "datasource= 127.0.0.1; Trusted_connection=yes "cookieless=" false "timeout=" 1 "/>

Then I run the code, I specifically on the original IE, using the menu to open a new IE window, to ensure that they are checking the same session, Enter chksessionout.aspx in the address, the program runs, found the secret, a minute later, I point to refresh chksessionout.aspx page, incredibly output notnull, I think, yes, I am every second in the request to this page, so no failure reason, then I will have no refresh technology Page closed, after a minute, found that the output isnull, indicating that the session failed, the discovery is good, I took a surprise! Think Vs.net good, it is a good tool, haha! My environment iis5.0,win2000,vs.net2003 then I have set 30 seconds automatic request, no Refresh Technology Main Page, session does not expire, a close or 1 minutes after the failure, taking into account 1 minutes/30 seconds is an integer, set to 50 seconds, No refresh the main page of the technology, it is over 1 minutes, invalid! Haha, completely understand! 1 minutes/50 seconds non-integers, so fail

Reprinted from: http://www.aspnetjia.com

Asp. NET without flush perform session authentication