How to start the session timeout after click of an event - asp.net

Can anyone tell me how can i start the session timeout after click of Login Button.
In my case the moment i run the application and go to Login page the session timeout is getting started but in my case i need to start the session timeout once click of Login Button in LogOn Screen.
and one more thing related to above issue the moment session expires and it redirects me to Login Screen(that is fine) but it makes me to enter Login Credentials twice and once i enter the credentials second time then it takes me to further pages.
Awaiting for your response. Thanks.

For your information session timeout will reset automatically after every event performed by the user, so you should not be worried about that, when user click on login button it will reset the session timeout.

You don't need to worry about the Session timeout. Session always initiates at your application's startup but the Session timeout resets on any postback or any request to the server.

Session would appear to be the wrong thing for what you are trying to achieve. Either a custom timer object embedded in the session would work, or forms auth tickets which would start when you logged in.
Simon

Related

Why does Session start after page logoff?

I am working on an ASP.NET website, and trying to track active Sessions.
I write to a log file whenever a session is created or ended via the Session_OnStart and Session_OnEnd events.
What I am noticing, is that when a user navigates to the webpage, it creates a Sessions with a Session Id for that user, like I expect, but when the user selects to log off, and gets redirected to the homepage, the Session_OnEnd is fired, but immediately after that, the session Session_OnStart is fired with the same SessionID.
Why is this?
Since the previous session ends, its ID is no longer valid (it does not matter if an end-user is logged in or not). As described in this article:
A new session automatically starts whenever the server receives a request that does not contain a valid SessionID cookie.
So, a new session starts for this user as soon as any his/her request is received after session expiration.
This is what Microsoft article says.
A browser that does not support cookies does not return the SessionID
cookie, the server creates a new session each time the user requests a
page. Thus, for each request, the server processes the Session_OnStart
script and redirects the user to the starting page.

Notify user of session timeout asp.net VB

I want to notify the user as soon as the session expires.. an alert and redirect to another page. What is the best way to do it considering I have no master page. Although most of the pages inherit the basePage where the property for current user is set.. Can I some how use this page so I wont have to make changes on every page. Also can this be done on server side or do I need to use jQuery?
Please advice
Thanks,
Kavita
You can use jQuery idleTimer plugin for detecting Idle Time & show alert to the user based on that & further redirect the user when session timeouts.
Eg.:
You can set session timeout to some value say 30 minutes. Use javascript code to detect user inactivity or idle time.
Detecting Idle Time
If the user is inactive for say 20 minutes, you can show him the popup or link to the user saying do you want to continue your session. If the user click the link his session will continue, otherwise he will be redirected to logout page.
I ended up using
http://www.dotnetcurry.com/ShowArticle.aspx?ID=453
This is not what I wanted but considering the architecture of the project, this was the only feasible option

Kill Asp.Net session when the browser or tab is closed

I am using forms authentication with Asp.Net 4. At the moment when the users click on logout link, I clear the session and call FormsAuthentication.SignOut() and this prevents the users from going back to the site without a logging in again.
Now I want to kill the session when the browser or tab is closed. I tried doing this by handling onbeforeunload event, but I ended up killing the session after clicking any internal links.
Any ideas how I can do this?
You can't, but you can come close to.
The authentication cookies are session only, that means that delete by browser when the browser close. Maybe you do not close all browsers tabs, but if you close them all the authentication cookies are lost.
About closing a tab, you do not know if the user have other tab opens.
A possible solution maybe is a call every 10 seconds back to the server to keep this authentication active or not, and set the authentication to end up after 20 seconds. So if not any signal come back, the user have gone. This can be done using javascript. From the other hand this can not let the user logout after some minutes of inactivity, so you may need a combination of this logic with something else.
The best you can do is when your user explicitly logs out to also call Session.Abandon() to remove that user's session. But like others have said there is no way of knowing if the tab/window just closes without doing a logout in this fashion. The session will just hang around on the server until it expires.
I answered another question that had a problem with session being killed when the user edited the web.config on a live site. They were tracking users still being logged in with Session variables (dangerous). But came up with a solution (untested solution) that could help people here.
FormsAuthentication allows you to maintain a person being active and logged in indefinitely. But if they become inactive for e.g. 20 mins they will be logged out which is nice. But to have them logged out at the time the close their browser is not possible (wait for it...) as setting the timeout value to 0 would cause them to be constantly logged in then out again.
So solution : at the time you log a person in using FormsAuthentication you could also set a standard session variable cookie that will be deleted when they close their browser. This cookie would have non-identifying non-account related information. Just a simple "loggedIn:yes".
Now all your code would need to have on it's masterpage/materlayout is a high level call in the page cycle or constructor of the page cycle (or even a custom attribute) that would check both cookie and the user identity:
if(!HasLoginCookie() || !System.Web.HttpContext.Current.User.Identity.IsAuthenticated)
{
// redirect user to log in page.
}
Basically if the cookie is removed when the browser is closed, you will redirect the user to the log in page.
Hopefully that helps (and works. As I said untested).

Multiple log-in problem

We have a web application with feature for logging in with credientials
The important requirement is once the user logs in he is not allowed to login from any other system or even another browser on same system
We used following solution which is mssql based : We have kept " Is_Loggedin" as a column with data type "bit" in a table. when a user logs in we set the flag as "1" sowhen someone tries to log again ,the system is showing the error "The user is already logged in"
When user logsout bit turns to "0"indicating user logged out.
However this logic is failing in following scenarios
Problem scenario:
When user closes the browser the flag is "1"and user is locked in or situations when user gets system problem and unable to log out
Is there a better logic to handle this requirement?
While the user is logged in, you could have a AJAX call that pings the server every 30 seconds that the user is logged in. Have a column Is_LoggedIn, and Last_LoggedIn for the date/time when they last sent that AJAX call. If it has been more than, say 1 minute, allow the user to login from another system.
You will also have a problem scenario if the user leaves their browser open for more than the session timeout period, usually 20 minutes. Then they will get logged out on the next request, but not be able to login again because of that is_LoggedIn set to 1. You would be better off doing some sort of time-based solution because keeping track of whether the user is still actively using a website is a very difficult problem because of the many ways they can leave the website without actually logging out.
If it is absolutely critical to avoid any chance of the user being logged in multiple places, you could also force all other places to logout automatically when the user logs into some new place.
You can update 'Is_Loggedin' flag to 0 at session_end event of global.asax.
session_end event is always call. session _end event call when session_timeout is expire.
in the global.asax code behind I believe there is an even for session end. You could tie into that method and set the user's Is_LoggedIn flag to 0. You would then also need to tie a user to a session key to be able to track a user's session.
Edit:
Also, the use of a session cookie or a normal cookie may help if the user closes their browser. The cookie would authenticate them upon re-opening the browser window; however this has a potential security hole if the user is using a public computer.
You could be to log the user out after sometime of inactivity (say 30 minutes). This way if the user closes the browser without logging out he will be able to log in again after 30 minutes.
Use Session_End as Pankaj suggest to make sure that the user's bit is set to 0 when logging out.
The issue with system failures is another problem. Maybe this could do the trick: When the user log in, the store the user's session ID in the database. When the user logs out, then clear the session ID. Every time the user makes a request you verify that the session ID matches the one stored in the database. If that is not the case, then invalidate the session, so that the user is logged out.
This should happen: If the user signs in, in another browser, the session ID would be updated. If user then goes back to the first browser windows and clicks on something, that session would be invalidated, and the user would be signed out automatically.

How do I prevent resetting Session timeout when UpdatePanel's content is refreshed by a Timer event?

We have several pages in our ASP.net Ajax application which auto refresh the UpdatePanels contents based on a timer event but the problem is that we have a requirement to timeout the web session and the auto refresh is preventing that.
Is there a way to prevent the timer postback event from modifying the web session or any other alternate solution to allow the web session to timeout while auto refreshing the UpdatePanel contents?
Here is an example to illustrate this problem. I set the session timeout to 3 minutes and have a timer in the UpdatePanel that ticks every minute and modifies the contents of the UpdatePanel based on the current state. After logging in, I navigate to this page and do nothing for 5 minutes and then try and click on another page and I am still logged in since the session didn't time out.
You may track the activity of the user on the client side. If there is no mouse move etc. you could log the user out using the Sys.Services.AuthenticationService class (part of Microsoft AJAX Library 1.0). You could pop a confirmation before you do the actual log out, so that the user may cancel it if he is present. When logged out you could pop a message to the user saying that he was automatically logged out because of inactivity.
How my solution would solve your scenario:
You set the session timeout to 3 minutes and have a timer in the UpdatePanel that ticks every minute and modifies the contents of the UpdatePanel based on the current state. After logging in, you navigate to this page and do nothing. After 3 minutes of no activity you pop a confirmation to the user asking him to cancel automatic log out using the Sys.Services.AuthenticationService. If the user still takes no action you log him out after a few seconds. You pop a "logged out message" that the user will see when he returns to the browser after 5 minutes. When he then click on another page he is not logged in.

Resources