The Session_OnEnd function cleans up objects when the user session ends, whether because of a time-out or a user exit, or when Active Server Pages abandons a session.
Both the Session_OnStart and Session_OnEnd functions are in response to specific user requests coming in from a browser. The first time a new user requests an .asp file, Session_OnStart is called. When Session_OnStart is finished, the application's first .asp file starts to process. Session_OnEnd is called either when the session times out or when there is a script call that tells Active Server Pages to abandon the session, such as when a user clicks Log Off in Microsoft Outlook Web Access.
If you rewrite the Session_OnEnd function, make sure you return all session variables to Empty or to Nothing (for object variables).
Impersonation is used in the Session_OnEnd function to ensure that a CDO object is in the right security context when the user session ends.
At logon time, the ImpID property is read. This property returns an impersonation handle that can be subsequently used in Session_OnEnd. The handle is stored in the Session object:
Session("hImp") = objRenderApp.ImpID
In the Session_OnEnd function the Impersonate method is used to impersonate a user context.
hImp = Session("hImp")
objRenderApp.Impersonate(hImp)
The call
objRenderApp.Impersonate(0)
reverts the session to its initial state, that of an empty session. This must occur before the session terminates.
The Application object may have session handles that refer to stored objects (such as a folder, a message, or a renderer). In this case, you need to store an impersonation handle in the Application object so that the application is in the right security context when the application ends in Application_OnEnd.
This applies to the Session object as well; if you store any data in the Session object, you must also store an impersonation handle in the Session object so that you can destroy the right objects in the right security context in Session_OnEnd.