views:

861

answers:

5

I'm currently working on a ASP.Net 3.5 project and trying to implement session timeout detection. I know how to do it with enabled session cookies, but without i'm totally lost.

When session timeout occurs i want to redirect the user to some custom page.

Can someone explain me how to do it?

My cookie based solution looks like this and i wan't to reproduce its behaviour:

if (Session.IsNewSession && (Request.Cookies["ASP.NET_SessionId"] != null))
    Response.Redirect("...");
+2  A: 

Session_End in the global.asax should always be fired, despite the type of session used.

-edit: you might also be interested in

Session.IsNewSession

as this gives you information on new requests whether the previous session could have been timed out.

Jan Jongboom
I know, but Session_End doesn't allow to push a redirect to the client. But thanks. I will add that requirement to my question.
Cubicle
Session_End is only fired if you're using InProc sessions - just because they are cookie-less doesn't preclude using Sql or State Server modes.
Zhaph - Ben Duguid
I tried Session.IsNewSession but that way i'cant distinguish between a brand new session and a timed out one.
Cubicle
A: 

It pretty much works the same way - the session service updates a timestamp every time ASP.NET receives a request with that session ID in the URL. When the current time is > n over the timestamp, the session expires.

If you put something in session and check to see if it's there on each request, if it is not, you know the session is fresh (replacing an expired one or a new user).

Rex M
I tried to use IsNewSession. It should be the same as your suggested solution. My problem is i can't distinguish between a new session and a timed out session this way.
Cubicle
A: 

If you don't like Session_End, you can try a very quick and dirty solution. Set up a Session["Foo"] value in Session_Start in global.asax, then check for Session["Foo"] in your page. If is null, the session is expired..

This is one of the solutions proposed in the Nikhil's Blog. Check it.

egapotz
Session will already be reinitialized when you are checking if Foo exists in your session, so won't work.
Jan Jongboom
A: 

I'd take a look at the "Database" section of AnthonyWJones' answer to a similar question here:

ASP.Net Session Timeout detection: Is Session.IsNewSession and SessionCookie detection the best way to do this?

In your session start event, you should be able to check a database for the existence of the SessionID - I assume that if I request a page with the SessionID in the URL, then that is the SessionID that I'll use - I've not tested that.

You should make sure you clear this DB down when a user logs out manually to ensure that you store a new instance of your flag.

Zhaph - Ben Duguid
+1  A: 

It looks like i've found a solution. I'm not very happy with it, but for the moment it works.

I've added a hidden field to my page markup

<asp:HiddenField ID="sessionID" runat="server" />

and following code to my CodeBehind

public void Page_Load(object sender, EventArgs eventArgs)
{
    if (Context.Session != null) {
        if (Context.Session.IsNewSession) {
            if (!string.IsNullOrEmpty(sessionID.Value)) {
               Response.Redirect("~/Timeout.aspx")
            }
        }
        sessionID.Value = Context.Session.SessionID;   
    }
}

You also need to add this to your Web.config or ASP ignores all posted form fields

<sessionState cookieless="true" regenerateExpiredSessionId="false"/>

regenerateExpiredSessionId is the important attribute.

Cubicle