In ASP.NET, I’m looking for a way to audit a user leaving my application. To be specific, I’d like to insert a ‘logout’ record in an audit table in SQL Server when the user’s session is abandoned/destroyed for any reason (not necessarily because of a call to session.abandon)
I have a ‘SessionHelper’ class that manages the session setters/getters.
I’ve tried posting back in Session_End in Global.asax, but it never fired this event even after the timeout expired.
I’ve tried overriding ‘finalize’ in the SessionHelper class and doing it there when the class is destroyed, but it did not fire that event either.
I’d try implementing IDisposable in the SessionHelper, but I don’t know where to call it so that it always gets called.
What is the proper way to audit a user leaving your ASP.NET application?
Thank you!
The Session_End event is only fired if you have InProc sessions. SQL or state server session management will not fire this event. If you can, get back to InProc sessions and use this event.
Apart from that, you won’t get very good solutions. ASP.NET doesn’t offer a way to look at the current list of sessions on the server (at least, no way that users of StackOverflow know of, since I already asked the question), so you can’t use a job to check when they are destroyed.
The next best thing would be to have a ‘last access time’ stored somewhere for your users and use that to detect a timeout of the session. The implementation of such a job is complicated though (you can miss logout events if a user logs in/out rapidly for example)…
So no perfect solution here.