Hi people,

I have a problem with session variables lost while redirecting to other pages.
What the codes does is to ask the user to sign in. If success authenticate the user, member ID will be assign to the session. And the next page will do a check on member ID in session.


Sign-in page :
- The usual form asking for password and email


Login page :
<%
If Success Login Then
Session("memberID") = Member ID
Response.Redirect "Page 1"
Else
Response.Redirect "login.asp?mode=2"
End If
%>


Page 1 :
<%
If Session("memberID") = 0 Then
Response.Redirect "login.asp?mode=1"
End If
%>


So, page 1 simply enforce user to login before viewing its content. The problem here is, in login page, the member ID does exists in session. But while redirecting over to Page 1, the member ID is lost !


I have got a few facts over the web, which does not apply in my case.

1. There are no Session.abandon been called in anywhere. No way the session data can be cleared away.
2. My server is on a workgroup and has no invalid characters ( refer http://support.microsoft.com/default...b;EN-US;316112 for one of the possible caused of session not persist)
3. The value does exists and stay in session while I am in login.asp... it just never stay alive till the next page.
4. I have testing on a few different PC and the same problem occurs
5. I use no frame for the webpages ( refer http://support.microsoft.com/default...;en-us;q178037 - this is applicable to IE 4,5 only)
6. Yes, the browser is cookies enabled
7. The pages are tested locally, never go through any firewall (I have read somewhere that ASP session might lost while travelling through firewall)
8. Standard session timeout : 20 minutes

All the server I have tested is running Win2k Server, IIS5, IE6.


Any idea what went wrong? Please advise.

Thanks in advance.

You can't redirect in the same page as you set the session like that.

The page needs to 'complete' before it actually sets the session variable, and as you are redirecting it hasn't yet completely sent all the session details to the users browser.

At least , I think that's the problem :=)

You might try setting:
response.buffer = true at the top of the page, or setting the session varible in "Page 1" AFTER you redirect..

Hope this helps..

Cheers,
Andrew

Hi Andrew,

I have done a very simple test.

Page 1:
a simply link to page 2
<a href=page2.asp>go</a>

Page 2:
assign a session variable and redirect immediately to page 3
<%
session("member") = 1
response.redirect "page3.asp"
%>

Page 3:
simply write out the session variable value
<%
response.write session("member")
%>


Yes, it does shows the value stored in the session... nothing is lost....

By the way, I have also set the response.buffer to true... and still the value stored in the session lost after redirecting to the second page.

Regards,
Tang

bumber. I thought that sounded really good too!! Maybe its for cookies only..

Anyway is this a syntax error:
Session("memberID") = Member ID

As the space in a variable name 'Member ID' would be a problem...

Cheers,
Andrew

Nope... Member ID is just to show that I will be putting a member ID value here...

hehe... tell you what, I do set the member ID value in cookies before I set the session variables and before I do the redirection.... well, I have checked the cookies and it holds the member ID value I have assigned it...

hmm.....

Well it's got me buggered! You seem to have tested everything...

Only thing I can come up with is to double check you code in Page1.. Perhaps just try outputting the session variable in page 1 rather than doing another redirect just to see if its there.

I mean you just tested it in thats simple example, so it should work!!!

If all else fails, how about adding your existing code to the new example pages you just made, a bit at a time, until it doesn't work.. Perhaps that way you will find the problem??

Good luck!!!

Andrew

well you should have notice that I have done a few of the research on the web before I posted to the forum (well... that means I simply can't find any solution over this super simply problem )

oh yeah... thanks for your replies.. I am going mad with SESSSION! ha...

I have never in my time as a professional webdeveloper (4 years) experienced that a session "forgets" anything and I have used it ALOT, so my guess is that this session of yours doesn't get set at all. If you post yur real code instead of pseudo-code it might be easier to debug...

...and for the record Bunce, sessions don't get sent to the browser. Sessions are stored on the server (and cookies are stored on the client) and once you reference either one of them in your ASP they are set right away.

I was referring to the session cookie, which does get sent to the client.

This is what W3C says, but I have to agree, I thought all Session("blah") stuff would be stored on the server....

Most of it does. It only sends this cookie to the client as a means of identification.

Makes sense when you think about it.. How else would the server know who's session data to grab from the server when someone makes a request? Needs some form of identification..

Thats why sessions won't work if cookies (or per-session cookies) are disabled on the browser.

Cheers,
Andrew

I think i get you; the cookie just stores the session id, which is used to id the client.

Hmmm, makes much more sense than trying to constantly send/retrive data from the client.

Offtopic; is it possible to access session x's variables from session y? (no not application variable or 'out like that)

Hi Guys,

This is my full code....

signup.asp
<form name=frmMemberLogin action=login.asp method=post>
<input type=hidden name=URL value="<%=varRedirectURL%>">
<table width="100%" border="0" cellspacing="1" cellpadding="1" bgcolor=#ffffff>
<tr>
<td width="45%" class="normalText"><div align="right">Email
Address &nbsp;</div></td>
<td width="55%" class="normalText"><input name="txtEmail" type="text" class="txt" id="txtEmail" size="30"></td>
</tr>
<tr>
<td width="45%" class="normalText"><div align="right">Password&nbsp;</div></td>
<td width="55%" class="normalText"><input name="txtPassword" type="password" class="txt" id="txtPassword" size="20"></td>
</tr>
<tr>
<td width="45%" class="normalText"><div align="right"></div></td>
<td width="55%" class="normalText"><input name="btnSubmit" type="submit" class="btn" id="btnSubmit2" value="Login"></td>
</tr>
</table>
</form>


login.asp
<!-- #include virtual="/library/member.asp" -->
<%
varEmail = Request.Form("txtEmail")
varPassword = Request.Form("txtPassword")
varRedirectURL = Request.Form("URL")

Set objLoginMember = New Member

If objLoginMember.memberLogin(varEmail, varPassword) Then
Session("memberID") = objLoginMember.memberID

If LTrim(RTrim(varRedirectURL)) = "" OR isNull(varRedirectURL) Then
Response.Redirect "/default.asp?mode=1"
Else
Response.Redirect varRedirectURL
End If
Else
If LTrim(RTrim(varRedirectURL)) = "" OR isNull(varRedirectURL) Then
Response.Redirect "signin.asp?mode=2"
Else
Response.Redirect "signin.asp?mode=2&URL=" & varRedirectURL
End If
End If
%>



signin.asp is where the form user needs to fill up email address and password.
login.asp page is where the authentication runs.
This function (objLoginMember.memberLogin(varEmail, varPassword) ) will return True or False. If true, it will assign member ID into session and redirect the user to the default.asp page.
varRedirectURL variable will hold the URL where user were redirected from. If authentication correct, it will be redirected back to that URL.

Anything wrong with the assignment of member ID into session???

I have included a virtual directory and there are sub folder in it... would it affect the session variables??

Tang

Not that I know of, would be a security risk. I assume that the 'ticket' that it sends contains server identification as well, so only that specific server can access it.

Even withink the server, it finds a way to uniquely identify session, for the same user.. When you open a new browser instance, on the same site, you're actually creating a new session, so it has to differentiate that as well.

I recall a KB article about sharing *cookies*, and a related security problem, but nothing about sessions.

Cheers,
Andrew

I did mean on the server...but hey, I don't even know why it would be useful.

hktang, your code does not look complete; the signup.asp uses a variable to redirect that is not listed, also member.asp that you include.