We use this approach at work so that when users upload data in separate but concurrent session to a webservice, we can catch 90% of the cases where timeout has occurred and warn the user then and there.
We don't catch every case because:
- Session timeout event handler in global.asax isn't reliably called the moment expiration occurs (IIRC)
- The user could have closed their browser window in the mean time.
Two common approaches of which I am aware are:
- Any user action causes an update to LastActionTime in the users table. Using this value + 20 minutes (or whatever your session timeout value) is a pretty good indication of who is logged in
- A small AJAX panel updating every few seconds (linked with the previous option).