Users online session expiry

[NightStalker-DNS]

Hi there

We have a users online section on our website. Below is the code for the global.asax

After playing around with the code for some time,we have a pretty stable solution.We opted to store the online users in a database to make it more stable.
The user gets inserted into the database everytime he logs in at the logon page.
The only problem is that everytime we update our app_code,all of the users online dissapear.

The session_start code was implemented to try and stabalize the system a bit---it is technically not needed cause users are inserted into the database on the logon page.
It was implemented for when the Formsauthentication hasnt expired,but the session has.
According to the code below,shouldn't the database entry be re-inserted if session expires because of recompilation of app_code?
Any help would be greatly appreciated.

Code:

void Session_Start(object sender, EventArgs e) 
    {
       //the person is still logged in--only his session expired because of app_code--re-insert him into the database
       if (User.Identity.Name!="")
        {
          
    }
    }

Does anybody have any ideas on how to fix this?
As i have said, it works pretty well unless you change anything on the app_code.

Code:

<script runat="server">

    void Session_Start(object sender, EventArgs e) 
    {
       if (User.Identity.Name!="")
        {
            SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ToString());
            SqlCommand checkOnlineCmd = new SqlCommand("Select * from OnlineUsers where username=@username", con);
            checkOnlineCmd.Parameters.AddWithValue("@username", User.Identity.Name);
            con.Open();

            SqlDataReader reader = checkOnlineCmd.ExecuteReader();
            if (!reader.Read())
            {
                reader.Close();
                checkOnlineCmd.CommandText = "Insert into OnlineUsers(sessionID,username) values('" + Session.SessionID + "',@username)";
                checkOnlineCmd.ExecuteNonQuery();

            }
            con.Close();
        }
        

    }

    void Session_End(object sender, EventArgs e) 
    {

        SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ToString());
        SqlCommand deleteOnlineUserCmd = new SqlCommand("Delete from OnlineUsers where sessionID=@sessionID", con);
        con.Open();
        deleteOnlineUserCmd.Parameters.AddWithValue("@sessionID", Session.SessionID);
        deleteOnlineUserCmd.ExecuteNonQuery();
        deleteOnlineUserCmd.Dispose();
        con.Close();
       
        //FormsAuthentication.SignOut();

    }
       
</script>

[jeffyjones]

First off, I strongly suggest moving your database code out to a place that is just for data access, either in App_Code or a class library or something. It makes your code easier to read.

Your code is at odds with the way that ASP.NET handles sessions internally. You can't rely on it, or session ID's. A better way is to circumvent it entirely by creating your own ID's and storing them in a cookie, and comparing those ID's to the database. Then you need a static Timer (do this in an HttpModule) that runs every so often to clean out the dead sessions based on time.

I've got an implementation of this in my forum app (link in sig) if you'd like to take a look. Look in the class library in the security namespace, and the HttpModule (in UI/HttpModules) that has the timer.