ansaurus

Question

How to detect session timeouts when using cookieless sessions.

Answer 1

+2 A:

Session_End in the global.asax should always be fired, despite the type of session used.

-edit: you might also be interested in

Session.IsNewSession

as this gives you information on new requests whether the previous session could have been timed out.

Jan Jongboom 2009-09-09 14:11:17

I know, but Session_End doesn't allow to push a redirect to the client. But thanks. I will add that requirement to my question.

Cubicle 2009-09-09 14:13:07

Session_End is only fired if you're using InProc sessions - just because they are cookie-less doesn't preclude using Sql or State Server modes.

Zhaph - Ben Duguid 2009-09-09 14:20:50

I tried Session.IsNewSession but that way i'cant distinguish between a brand new session and a timed out one.

Cubicle 2009-09-09 14:29:05

Answer 2

A:

It pretty much works the same way - the session service updates a timestamp every time ASP.NET receives a request with that session ID in the URL. When the current time is > n over the timestamp, the session expires.

If you put something in session and check to see if it's there on each request, if it is not, you know the session is fresh (replacing an expired one or a new user).

Rex M 2009-09-09 14:13:20

I tried to use IsNewSession. It should be the same as your suggested solution. My problem is i can't distinguish between a new session and a timed out session this way.

Cubicle 2009-09-09 14:19:59

Answer 3

A:

If you don't like Session_End, you can try a very quick and dirty solution. Set up a Session["Foo"] value in Session_Start in global.asax, then check for Session["Foo"] in your page. If is null, the session is expired..

This is one of the solutions proposed in the Nikhil's Blog. Check it.

egapotz 2009-09-09 14:20:34

Session will already be reinitialized when you are checking if Foo exists in your session, so won't work.

Jan Jongboom 2009-09-09 14:35:51

Answer 4

A:

I'd take a look at the "Database" section of AnthonyWJones' answer to a similar question here:

ASP.Net Session Timeout detection: Is Session.IsNewSession and SessionCookie detection the best way to do this?

In your session start event, you should be able to check a database for the existence of the SessionID - I assume that if I request a page with the SessionID in the URL, then that is the SessionID that I'll use - I've not tested that.

You should make sure you clear this DB down when a user logs out manually to ensure that you store a new instance of your flag.

Zhaph - Ben Duguid 2009-09-09 14:47:20

Answer 5

+1 A:

It looks like i've found a solution. I'm not very happy with it, but for the moment it works.

I've added a hidden field to my page markup

<asp:HiddenField ID="sessionID" runat="server" />

and following code to my CodeBehind

public void Page_Load(object sender, EventArgs eventArgs)
{
    if (Context.Session != null) {
        if (Context.Session.IsNewSession) {
            if (!string.IsNullOrEmpty(sessionID.Value)) {
               Response.Redirect("~/Timeout.aspx")
            }
        }
        sessionID.Value = Context.Session.SessionID;   
    }
}

You also need to add this to your Web.config or ASP ignores all posted form fields

<sessionState cookieless="true" regenerateExpiredSessionId="false"/>

regenerateExpiredSessionId is the important attribute.

Cubicle 2009-09-09 15:20:11

ansaurus

tags:

views:

answers:

How to detect session timeouts when using cookieless sessions.

related questions