I want to notify the user as soon as the session expires.. an alert and redirect to another page. What is the best way to do it considering I have no master page. Although most of the pages inherit the basePage where the property for current user is set.. Can I some how use this page so I wont have to make changes on every page. Also can this be done on server side or do I need to use jQuery?
Please advice
Thanks,
Kavita
You can use jQuery idleTimer plugin for detecting Idle Time & show alert to the user based on that & further redirect the user when session timeouts.
Eg.:
You can set session timeout to some value say 30 minutes. Use javascript code to detect user inactivity or idle time.
Detecting Idle Time
If the user is inactive for say 20 minutes, you can show him the popup or link to the user saying do you want to continue your session. If the user click the link his session will continue, otherwise he will be redirected to logout page.
I ended up using
http://www.dotnetcurry.com/ShowArticle.aspx?ID=453
This is not what I wanted but considering the architecture of the project, this was the only feasible option
Related
What is the best way to force a user to login again if the session expires. I am using forms authentication. Also the solution needs to work even if user has multiple tabs opened in the browser.
This happens automatically. Once the session is expired, the next page the user requests that requires authentication should redirect to the login page. If you mean that you want the page no longer displayed if left sitting for too long, there are a couple of approaches.
Add a META REFRESH tag to every page header. The refresh time
should be close or equal to the session timeout. Note that if you
make AJAX calls, the refresh tag does not reset the timer to zero.
Use the Javascript setTimeout function to redirect just before the
session timeout.
I am using forms authentication with Asp.Net 4. At the moment when the users click on logout link, I clear the session and call FormsAuthentication.SignOut() and this prevents the users from going back to the site without a logging in again.
Now I want to kill the session when the browser or tab is closed. I tried doing this by handling onbeforeunload event, but I ended up killing the session after clicking any internal links.
Any ideas how I can do this?
You can't, but you can come close to.
The authentication cookies are session only, that means that delete by browser when the browser close. Maybe you do not close all browsers tabs, but if you close them all the authentication cookies are lost.
About closing a tab, you do not know if the user have other tab opens.
A possible solution maybe is a call every 10 seconds back to the server to keep this authentication active or not, and set the authentication to end up after 20 seconds. So if not any signal come back, the user have gone. This can be done using javascript. From the other hand this can not let the user logout after some minutes of inactivity, so you may need a combination of this logic with something else.
The best you can do is when your user explicitly logs out to also call Session.Abandon() to remove that user's session. But like others have said there is no way of knowing if the tab/window just closes without doing a logout in this fashion. The session will just hang around on the server until it expires.
I answered another question that had a problem with session being killed when the user edited the web.config on a live site. They were tracking users still being logged in with Session variables (dangerous). But came up with a solution (untested solution) that could help people here.
FormsAuthentication allows you to maintain a person being active and logged in indefinitely. But if they become inactive for e.g. 20 mins they will be logged out which is nice. But to have them logged out at the time the close their browser is not possible (wait for it...) as setting the timeout value to 0 would cause them to be constantly logged in then out again.
So solution : at the time you log a person in using FormsAuthentication you could also set a standard session variable cookie that will be deleted when they close their browser. This cookie would have non-identifying non-account related information. Just a simple "loggedIn:yes".
Now all your code would need to have on it's masterpage/materlayout is a high level call in the page cycle or constructor of the page cycle (or even a custom attribute) that would check both cookie and the user identity:
if(!HasLoginCookie() || !System.Web.HttpContext.Current.User.Identity.IsAuthenticated)
{
// redirect user to log in page.
}
Basically if the cookie is removed when the browser is closed, you will redirect the user to the log in page.
Hopefully that helps (and works. As I said untested).
Can anyone tell me how can i start the session timeout after click of Login Button.
In my case the moment i run the application and go to Login page the session timeout is getting started but in my case i need to start the session timeout once click of Login Button in LogOn Screen.
and one more thing related to above issue the moment session expires and it redirects me to Login Screen(that is fine) but it makes me to enter Login Credentials twice and once i enter the credentials second time then it takes me to further pages.
Awaiting for your response. Thanks.
For your information session timeout will reset automatically after every event performed by the user, so you should not be worried about that, when user click on login button it will reset the session timeout.
You don't need to worry about the Session timeout. Session always initiates at your application's startup but the Session timeout resets on any postback or any request to the server.
Session would appear to be the wrong thing for what you are trying to achieve. Either a custom timer object embedded in the session would work, or forms auth tickets which would start when you logged in.
Simon
I am developing a web site using ASP.Net 3.5 C#. I am listing all the Online users ( users who re logged in on my site) in my site. I want to track and update user's status in Database when a user has logged out or simply closed the browser or navigated to some other site. In all these cases I want to update user's status as "Logged Out".
How can i move forward with it.
Thanks
Vivek
When the user clicks the button, you can just handle the click event on the server-side (in code-behind) and then log the status change.
For the case where the browser is closed, you can handle the Session_End event in the global.asax, which fires when the session ends:
public void Session_End(object sender, EventArgs e)
{
// Fires when the session ends
}
Legitimate logout (i.e. Logout by clicking on logout button etc.) can be tracked easily. You just have to handle the event and mark their database status logged out.
However closing the browser is one thing I never had a good success with. You will get many solutions over web which would tell you to capture the close button and then ajax request etc, but I did not have success with any one with that.
(Things like Session_End may come handy but there is a Gotcha that thisevent does not get fired, if you are using anything other than IN-PROC session mode so that's not reliable).
You don't really know if the user has closed the browser or not, or if he navigated to another site. I think you need to use some sort of AJAX control that would send some messages to the server in a given time interval to make sure the user is viewing your site.
First check my answer in this other question:
session Handling in asp.net
You wouldn't be able to immediately close a session and track this change if some user closes the browser, shutdowns computer or something like that. This is achieved by playing with session timeout.
Another possibility could be consider an user online if it triggered some operation against the server in some time interval, thing that'll be implemented in your server logic.
Logging out should be easly trackable because it's an "human user" action. Just implement a "UserLogout" event in your authentication manager class or any other class handling authentication and track logouts there.
Client-side user actions like browsing to another page or closing Web browser can't be tracked because technology limitations: API lacks in this area. It's more because of Web paradigm and its principles. You'll need to miss that.
We have several pages in our ASP.net Ajax application which auto refresh the UpdatePanels contents based on a timer event but the problem is that we have a requirement to timeout the web session and the auto refresh is preventing that.
Is there a way to prevent the timer postback event from modifying the web session or any other alternate solution to allow the web session to timeout while auto refreshing the UpdatePanel contents?
Here is an example to illustrate this problem. I set the session timeout to 3 minutes and have a timer in the UpdatePanel that ticks every minute and modifies the contents of the UpdatePanel based on the current state. After logging in, I navigate to this page and do nothing for 5 minutes and then try and click on another page and I am still logged in since the session didn't time out.
You may track the activity of the user on the client side. If there is no mouse move etc. you could log the user out using the Sys.Services.AuthenticationService class (part of Microsoft AJAX Library 1.0). You could pop a confirmation before you do the actual log out, so that the user may cancel it if he is present. When logged out you could pop a message to the user saying that he was automatically logged out because of inactivity.
How my solution would solve your scenario:
You set the session timeout to 3 minutes and have a timer in the UpdatePanel that ticks every minute and modifies the contents of the UpdatePanel based on the current state. After logging in, you navigate to this page and do nothing. After 3 minutes of no activity you pop a confirmation to the user asking him to cancel automatic log out using the Sys.Services.AuthenticationService. If the user still takes no action you log him out after a few seconds. You pop a "logged out message" that the user will see when he returns to the browser after 5 minutes. When he then click on another page he is not logged in.