SessionState expired behaviour

Question

Is it possible to control the behaviour of ASP.NET when the Session has expired? It seems that the default behaviour is sending the user to the website root. The desired effect would be to send the user to a custom "Session Expired" page.

To clarify, it's the SessionState that's expiring (set the timeout to 1 minute to quickly test it):

<sessionState mode="InProc" timeout="1"></sessionState>

The authentication cookie timeout is way higher, to avoid any mix-up:

<authentication mode="Forms">
    <forms loginUrl="SessionExpired.aspx" slidingExpiration="true" name=".ttpASPXAUTH" timeout="58" protection="All"></forms>
</authentication>

Answer 1

I'm not sure about the whole Authorization ticket/session state problem, but an easy way to redirect someone to a particular page when their session has expired is to put code into the Application_AcquireRequestState event in the Global.asax file to check for a session variable and if it doesn't exist, redirect to your "session expired" page.

Answer 2

You can catch this in your global.asax in the Session_Start method.

I use something like this for simple sites:

if (!Request.Url.AbsolutePath.EndsWith("DEFAULT.ASPX", _
              StringComparison.InvariantCultureIgnoreCase))
{
    string newPage = string.Format("ErrorPage.aspx?ErrorMessage={0}", _
              System.Uri.EscapeUriString("Your session has expired."));
    Logger.InfoFormat("{0} Session expired or illegal page access attempted: {1}", _
              Utility.StoreRegisterForLog, Request.Url.ToString());
    Response.Redirect(newPage);
}

If they're not on the home page, she gets sent to the error page with a message saying her session has expired.