Get Session to expire gracefully in ASP.NET

Question

I need a way to tell ASP.NET "Kill the current session and start over with a brand new one" before/after a redirect to a page.

Here's what I'm trying to do:

1) Detect when a session is expired in the master page (or Global.asax) of an ASP.NET application.

2) If the session is expired, redirect the user to a page telling them that their session is expired. On this page, it will wait 5 seconds and then redirect the user to the main page of the application, or alternatively they can click a link to get there sooner if they wish.

3) User arrives at main page and begins to use the application again.

Ok, so far I have steps 1 and 2 covered. I have a function that detects session expiry by using the IsNewSession property and the ASP.NET Session ID cookie value. if it detects an expired session it redirects, waits five seconds and then TRIES to go to the main page.

The problem is that when it tries to redirect, it gets to the part in the master page to detect an expired session and it returns true. I've tried calling Session.Abandon(), Session.Clear(), even setting the session to NULL, with no luck.

Someone out there has had to have faced this problem before, so I'm confident in the community to have a good solution. Thanks in advance.

Answer 1

The problem you are describing happens because asp.net is reusing the sessionid, if the sessionid still exists in the auth cookie when you call abandon() it will just reuse it, you need to explicitly create a new sessionid afaik something like:

 HttpCookie mycookie = new HttpCookie("ASP.NET_SessionId");
    mycookie.Expires = DateTime.Now.AddDays(-1);
    Response.Cookies.Add(mycookie);

Answer 2

Are you calling Session.Abandon in your special "Your session expired" page? If so, don't.

Answer 3

We had a problem on our site, where the .NET Session was timing out the session after 20 minutes, then going into an infinite loop when the user came back online, and it tried to restart.

We killed the session using your method above, and it works now. THanks!

Munawar

Answer 4

The adding the cookie trick worked for me also, as follows:

    Sub Session_Start(ByVal sender As Object, ByVal e As EventArgs)
    ' Code that runs when a new session is started        
    If Session.IsNewSession Then
        'If Not IsNothing(Request.Headers("Cookie")) And Request.Headers("Cookie").IndexOf("ASP.NET_SessionId") >= 0 Then
        If Not IsNothing(Request.Headers("Cookie")) AndAlso Request.Headers("Cookie").IndexOf("ASP.NET_SessionId") >= 0 Then
            'VB code
            Dim MyCookie As HttpCookie = New HttpCookie("ASP.NET_SessionId")
            MyCookie.Expires = System.DateTime.Now.AddDays(-1)
            Response.Cookies.Add(MyCookie)

            'C# code
            'HttpCookie mycookie = new HttpCookie("ASP.NET_SessionId");    
            'mycookie.Expires = DateTime.Now.AddDays(-1);    
            'Response.Cookies.Add(mycookie);

            Response.Redirect("/timeout.aspx")
        End If
    End If       
End Sub