|
|
Posted by Gordon Burditt on 09/26/71 11:18
>I have a question about handling special cases of session expiration.
>In a project I'm working on, the users must log out or else their
>profile will be left in an unusable state -- at least until the
>administrator fixes it by hand.
This kind of design you should avoid at all costs. The administrator
may either go insane or may be convicted for murdering you.
If you must enforce logging in only once, when duplicate logins
happen, kick off the *OLD* login.
>What is the proper way of handling this? Is there a way to supply a
>function that is called when a session times out? What if the browser
>is closed?
It is common to have a session expire after some timeout after the
last hit or after login. It is *NOT* common to have code run at
that time. If your design requires that, well, do it another way.
It is common to check if the login has expired (might be days after
the session has expired) on each hit, and if so, redirect to the
login page again.
>I realize the best solution might depend on many things, so I'll be
>grateful for any pointers.
Users can have their sessions end for numerous reasons and they
cannot clean up afterwards: the computer crashes. Their dialup
line drops and they get back a different IP on redialing. Power
failures. The browser crashes. So forget about having code run
when any of these happen. You can have code run when they attempt
using the same session *after* it has expired (possibly years later).
Gordon L. Burditt
Navigation:
[Reply to this message]
|