views:

4494

answers:

7

I'm a doing some blackbox testing of a ASP.Net website and I need to test different session timeout scenarios.

I'm not sure they fully encapsulated session timeouts. Other then leaving a page open for 20 minutes is there an easier way to force a session timeout?

A: 

Recycle the app pool on the server.

chris
+1  A: 

Add a page to the site and call Session.Abandon()

John Sheehan
+2  A: 

If you are storing your session information in a cookie, you could try deleting your cookies.

Petey
This would probably work because the sessionID is stored in cookies
John Sheehan
+2  A: 

Make a shorter timeout.

nportelli
This won't work if they specify the timeout throughout the code, otherwise setting the timeout in web.config would work
John Sheehan
The code should probably take the value from some sort of config file.
tpower
+1  A: 

Bounce the AppPool and session will be lost.

if you don't have direct IIS access, you can open and save Web.Config to do the same thing (Don't use notepad, it screws up the encoding).

FlySwat
Do you have more info about notepad screwing up the encoding? I haven't had a problem using notepad (yet), also this MS support article describes using notepad to edit web.config, "You can create a Web.config file by using a text editor such as Notepad.": http://support.microsoft.com/kb/815179
J c
+2  A: 

You can change the timeout in your webconfig

 <authentication mode="Forms">
      <forms timeout="10" protection="All" slidingExpiration="true" loginUrl="~/login.aspx" cookieless="UseCookies"/>
 </authentication>
Eduardo Campañó
+11  A: 

Decrease the timeout

The easiest and most non-intrusive way to test this is probably to just decrease the timeout to a fairly small number, such as 3 or 5 minutes. This way you can pause for a few minutes to simulate a longer pause without worrying about application restarts or special reset code having any affect on your test results.

You can modify the session state timeout in a few locations - globally (in the web.config located in the config folder for the applicable .NET framework version), or just for your application.

To modify the timeout just for your application, you can add the following to your application's web.config:

  <system.web>
    <sessionState timeout="60" /> 
  ...

Alternatively, you can also modify this same setting for your application through an IIS configuration dialog (I believe you still need to have a web.config defined for your application though, otherwise Edit Configuration will be disabled).

To access this, right-click on your web application in IIS, and navigate to Properties | ASP.NET tab | Edit Configuration | State Management tab | Session timeout (minutes).

Note that you can also manipulate this setting through code - if this is already being done, than the setting in the web.config file will effectively be ignored and you will need to use another technique.

Call Session.Abandon()

A slightly more intrusive technique than setting a low timeout would be to call Session.Abandon(). Be sure to call this from a page separate from your application though, as the session isn't actually ended until all script commands on the current page are processed.

My understanding is that this would be a fairly clean way to test session timeouts without actually waiting for them.

Force an application restart

In a default configuration of session state, you can simulate a session timeout by blowing away the sessions entirely by causing the application to restart. This can be done several ways, a few of which are listed below:

  • Recycle the app pool through
    • the IIS MMC snap-in
    • the command-line (iisapp /a AppPoolID /r)
    • modifying web.config, global.asax, or a dll in the bin directory
  • Restart IIS through
    • the IIS MMC snap-in
    • services.msc and restarting the IIS Admin service
    • the command-line (iisreset)

When I mention "default configuration", I mean a web application that is configured to use "InProc" session state mode. There are others modes that can actually maintain session state even if the web application is restarted (StateServer, SQLServer, Custom).

Tamper with the state tracking mechanism

Assuming your web application isn't configured with a "cookie-less" mode (by default, cookies will be used), you could remove the cookie containing the session ID from the client browser.

However, my understanding is that this isn't really simulating a time-out, as the server will still be aware of the session, it just won't see anyone using it. The request without a session ID will simply be treated as an unseen request in need of a new session, which may or may not be what you want to test.

J c