Session timeout issue

Question

I have a role based ASP.NET C# web application in which I am putting the menu object inside a session and I have a session timeout configured in the web.config as below:

 <forms defaultUrl="Home.aspx" loginUrl="Login.aspx" name=".ASPXFORMSAUTH" timeout="10"></forms>

I first logged into the system as an employee and waited until the session expires and then when I click a link in the menu I am being rightly redirected to the login page with the ReturnUrl parameter. Now when I try to login to the system as an administrator I am still seeing the employee menu and not the admin menu. The method which loads the menu 1st checks to see if the menu session object is not null if so loads the menu from the session if not then it builds the menu and put it into session. So when the system timesout the menu session object is not being cleared. How can I fix this?

Answer 1

Make sure that you're not re-using the same browser when you test logging in as an administrator. If you log in as an employee and then log in as an administrator with the same browser window, then you're probably accidentally reusing the same session. Add some tracing or breakpoints to verify that your menu is getting built when you expect it to be instead of simply pulled out of session.

If that's not the problem, then while you are tracing or stepping through the code, verify whether your application is properly identifying that the user is an administrator and is building the correct menu.

Answer 2

You need to set a timeout on your session as well, and make sure it's the same timeout value as your authentication timeout.

<sessionState cookieless="UseCookies" timeout="10" useHostingIdentity="true"/>

This should kill the session at the same time that authentication expires.