What is the best way to redirect to the login page when the session expires. I'm using
sessionState mode="InProc"
Can I set this in the web.config file?
views:
6699answers:
5
+3
A:
The trick to remember about the session expiration is that this happens in the the worker process running behind the scenes and there is no direct way to notify the user without going back to the server to check the state of things.
What I do is I have the page register a Javascript block that will redirect the user to the login page again after the designated timeout:
Page.ClientScript.RegisterStartupScript(Me.GetType, "TimeoutScript",
"setTimeout(""top.location.href = '~/Login.aspx'""," &
ConfigurationManager.AppSettings("SessionTimeoutMilliseconds") & ");", True)
You'll notice that I have the actual milliseconds stored in my web.config file so that I can adjust the timeout length as needed.
Using this, combined with the typical Session_End event in the Global.asax file makes a pretty clean way of handling session timeouts in my web apps.
Dillie-O
2008-12-24 16:50:37
How is the Session_Timeout method used?
Daud
2008-12-24 17:04:18
Session_Timeout will do anything server-side that you need to do, such as remove any data you may be storing for the user. I typically call Session.Abandon() to remove anything that still might be there.
Dillie-O
2008-12-24 17:06:59
Sorry, I should rephrase, the Session_Timeout event fires when the timeout parameter has been reached. That way you can clean up any data, or reset anything you need to. If the user had a record "checked out" and the session expired, you may want to "check it in" when the event fires to allow edits.
Dillie-O
2008-12-24 17:08:35
GAH! Me and my typing today. I'm referring to Session_End in global.asax. I've updated accordingly.
Dillie-O
2008-12-24 17:11:50
+1
A:
One option instead of setting a client side timer to blindly redirect, is to have the timer hit a small webservice which could indicate if the user should be redirected. What this does is give you a lot more flexibility you could redirect a user under many cases including:
- Session Expired
- Same user account logged in from another machine
- Site is going into to maintneance mode and you want to kick users out.
I've used this method with a lot of success, for handling multiple user accounts. As for handling session you'd prolly want to listen for the session timeout even then store in a hash table whose session timed out.
When that user calls the web service you remove them from the hash and tell the client code to redirect them.
Another nice thing about this type of system is you can track when the browser hits the server, so you can get a better sense of who is still online.
EDIT
In Response to Comment Bellow:
I don't think calling a public method would be cleaner. As soon as you do this you make an assumption that all pages share a single master page or common base class. I wouldn't want to make that assumption. Additionally, if you intend to use the PageMethods approach this won't work since PageMethods must be static.
I'm not exactly sure what your intention is but if you were going to call this method on each request then I would do that using a http module and hook into the pipeline; however, this only works when a request is made. By using a web service with a client side timer you can redirect the user even if they are not making any requests.
JoshBerke
2008-12-24 18:09:46
Wouldn't calling a public method on your basepage or masterpage using AJAX be cleaner? As you don't have to setup and manage the webservice?Great answer though, I'm implementing this for sure.
Peter
2010-07-09 06:13:07
+1
A:
Kind of a late reply, but, if you're using the standard asp.net membership provider you could also use the config below.
The basic idea for this is to have your authentication cookie + session expire at the same time. The automatic behaviour of asp.net would be to take you back to the defined login page. The "slidingExpiration" attribute on the auth cookie would need to be 'true' to keep extending it's life while the session is active.
<system.web>
<sessionState mode="InProc" cookieless="false" timeout="20" />
<authentication mode="Forms">
<forms name=".SAMPLESITEAUTH" loginUrl="~/Login.aspx" protection="All" timeout="20" slidingExpiration="true" path="/" cookieless="UseCookies"></forms>
</authentication>
</system.web>
Brendan Kowitz
2009-02-17 06:12:36
Unfortunately the slidingExpiration on your cookie doesn't work the way you hope. ASP.NET won't refresh the expiry on the cookie with every request; rather it does that only once every half-the-value-of-timeout minutes. I.e. if you set timeout="20", it only refreshes the cookie every ten minutes.
teedyay
2009-02-17 06:24:49
A:
Bellow Answer is the best example ever and ever......
Better to try this way:
Page.ClientScript.RegisterStartupScript(Me.GetType, "TimeoutScript", "setTimeout(""top.location.href = '~/Login.aspx'""," & ConfigurationManager.AppSettings("SessionTimeoutMilliseconds") & ");", True)
You'll notice that I have the actual milliseconds stored in my web.config file so that I can adjust the timeout length as needed.
Using this, combined with the typical Session_End event in the Global.asax file makes a pretty clean way of handling session timeouts in my web apps.
Regards, Nagaraju R || Dell PerotSystems ||
Nagaraju
2009-11-13 10:30:59