Maybe it's that I've written a couple of articles on sessions,
applications, and global.asa or maybe it's just a difficult
topic for beginners to grasp, but I've been getting
questions about when a session ends for what seems like
forever. Well it's time to put the final nail in the
coffin and put this issue to rest once and for all.
This email was the one that finally convinced me this
had to be done. I've left out the name and done some
editing, but you'll get the idea.
It is not my intention to put down the author of this
particular message. In fact it was the ernest and honest
request for clarification that made me take notice of it
in the first place. My thanks go out to the author...
you know who you are.
Here's the body of the email:
I love your tutorial on global.asa. I tried everything to
access this file not knowing that I had to make my
directory an application. I have one problem... my
favorite online "school" is [site name removed to
protect the guilty] and they clearly state:
"[bulk of the description removed... again to protect the guilty; however, what remains is word for word...]
A session also ends if the user closes the web browser, or goes to someone else's web page."
I cannot find Microsoft's official word on this, but I would think the session ends when you close the browser. If it did not, this would be a drain on server resources and would have been fixed in later releases of IIS. You seem very adamant on this point and this makes me really want to know the correct answer.
Can you guide me to the correct source?
Here's the bulk of my reply:
I'm 110% sure. Sessions DO NOT end when a user closes their browser. There is no communication with the server when a browser is closed so there is no way the server can know to end the session. The same is true when you leave the site for another. Again no communication takes place between your browser and the site you're leaving so the server never knows you've left.
You can illustrate this by creating a routine in the Session_OnEnd event that logs a timestamp to a textfile. Then hit a page in the application and close your browser. There will be no entry logged in the text file until 20 minutes later (or whatever timout you're app is set to) when the Session_OnEnd Routine is fired.
"The Session_OnEnd event occurs either when a current Session is abandoned by using the Session.Abandon method, or when it times out. By default this is 20 minutes after the last request for a page from the application, though this can be changed either by setting the Session.Timeout property or by editing the registry."
The docs are vague in areas when using the phrase "session is abandoned" and that may have led to some of the confusion in the community, but the correct interpretation is as in the quote above... meaning a script made a manual call to the Abandon method of the Session object. Even this can be tricky; however, since after calling Session.Abandon, any other hit to an asp page in your application (that doesn't have sessions specifically disabled) will start a new session.
Hope this helps clarify things,
And Just In Case It Doesn't...
Here's a sample of the type of code
I spoke of in the message above. It's all zipped up and ready for
you to play with.
There are 3 files: global.asa, session.asp, and session.log.
You'll need to unzip them to the root of an application on
your server, but be sure to back up any files that you have
with the same name first... global.asa is pretty common!
You'll need to set the NTFS permissions on the .log file to
give the user write permissions and edit the path to the .log
file in global.asa (if needed). Besides that everything should work fine.
Request session.asp from the server and follow the
If seeing with your own eyes doesn't convince you then I
guess I might as well give up...
After writing this article, I got a lot of email from people
asking if there was some way to make sessions end when the
browser is closed or the user moves on. Well there is...
Basically the only solution I know of is to set up a client-side
event to call a server-side script to abandon the session when the user leaves.
It's not fool-proof, browser-proof, or crash-proof, but it should work
with most javascipt-enabled browsers and will abandon the majority
of your sessions when the user leaves.
Being ever the lazy webmaster... here's one version of this type of
solution submitted by one of our visitors:
i just finished reading your "When Sessions End - Once And For All!". i
thought it was pretty much common sense that closing a browser doesn't end a
session but nothing suprises me. anyway, heres how i end a session everytime
someone closes a browser. its nothing special but it works. keep up the good
work with the site.
Here's the zip file containing the sample code.
Update: FAQ: Can I Access Session Variables In Session_OnEnd?
Yes... but don't take my word for it. Here's a code snippet that you can
use to replace the original Session_OnEnd routine from the sample script above.
It reads the session variable "Start" and writes it's value
to the log file along with the session's end time from within Session_OnEnd.
Dim objFSO, objFile
Set objFSO = Server.CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile(strLogFilePath, 8, True)
Set objFSO = Nothing
objFile.WriteLine "Session: " & Session.SessionID _
& " started at " & Session("Start")
objFile.WriteLine "Session: " & Session.SessionID _
& " ended at " & Now ()
Set objFile = Nothing