How should I handle Session timeouts when using AJAX Web controls on an Aspx page?

Question

The following is a question I asked on my blog a few months back but I still haven't got a proper answer to. Then a couple of days ago I was asked if I had the answer so I decided to copy the question in here where it will get a much more exposure by willing-and-able developers. Anyways, here goes...

---

I have been working on an ASP.NET web application that utilizes the AJAX Control Toolkit controls to extend the usability of the application. In addition, the application is a serious business application that requires security, including encryption, authentication and authorization. And the HTTP session is an InProc mode session that expires in the default time of 20 minutes.

This of course means that if the user leaves a page on his browser for over 20 minutes the session has expired and any post back to the server will redirect the browser to the sign in page. However, if the page, for example, contains the AutoCompleteExtender control from the AJAX Control Toolkit, the user might get back to his browser and start using the extender's functionality, requiring behind the scene callbacks, but will realize that the control simply doesn't work - no error not redirection to the sign in page!?

---

Like I said, I don't have a solution so I ended up putting the SessionExpiredMonitor (by Herr Ziffer) on all my pages (in my MasterPage), which results in every page auto signing out in 19 minutes and then redirecting the browser to the sign in page. However, I don't find this to be a solution so if you can figure this out then please let me know. Thank you very much.

Answer 1

On the server side you can detect that the session is expired and return a strong typed exception. On the browser side, you can specifically detect for that error and simply have the page refresh. This assumes that when your page posts back for the refresh that your application detects expired sessions and has them login again.

Answer 2

What's wrong with redirecting the user to the login page after his session actually expired? From a user point of view I do really prefer this over not noticing an expired session, filling out some way too long form and actually notice the expiration on submit. It's at least a very user friendly solution to the problem.

Answer 3

I think that auto-redirection is the preferable solution, mainly for obvious security reasons.

You could further extend the functionality by displaying an alert to the user after 18mns of inactivity warning them that their session will expire in 1 minute and providing a way of extending the session by clicking a button which in turn calls a back end page to rejuvenate the session.

Just before the session expires and the page redirects the user to the login page you could save the status of the user / page / account so that when they log back in they can be redirected back to the page they last viewed.