Is it possible to control the behaviour of ASP.NET when the Session has expired? It seems that the default behaviour is sending the user to the website root. The desired effect would be to send the user to a custom "Session Expired" page.
To clarify, it's the SessionState that's expiring (set the timeout to 1 minute to quickly test it):
<sessionState mode="InProc" timeout="1"></sessionState>
The authentication cookie timeout is way higher, to avoid any mix-up:
<authentication mode="Forms">
<forms loginUrl="SessionExpired.aspx" slidingExpiration="true" name=".ttpASPXAUTH" timeout="58" protection="All"></forms>
</authentication>
I'm not sure about the whole Authorization ticket/session state problem, but an easy way to redirect someone to a particular page when their session has expired is to put code into the Application_AcquireRequestState event in the Global.asax file to check for a session variable and if it doesn't exist, redirect to your "session expired" page.
You can catch this in your global.asax in the Session_Start method.
I use something like this for simple sites:
if (!Request.Url.AbsolutePath.EndsWith("DEFAULT.ASPX", _
StringComparison.InvariantCultureIgnoreCase))
{
string newPage = string.Format("ErrorPage.aspx?ErrorMessage={0}", _
System.Uri.EscapeUriString("Your session has expired."));
Logger.InfoFormat("{0} Session expired or illegal page access attempted: {1}", _
Utility.StoreRegisterForLog, Request.Url.ToString());
Response.Redirect(newPage);
}
If they're not on the home page, she gets sent to the error page with a message saying her session has expired.
Related
I am developing ASP.Net MVC application.
We have used sessionState mode SQLServer and i have set timeout to 20 minutes.
<sessionState mode="SQLServer"
sqlConnectionString="data source=127.0.0.1;user id=sa;password=sa"
cookieless="false"
timeout="2" />
Code is something like this in web config.
I have also set login page.
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>
Now when session expires i want to navigate user to login page.
I checked many things but i was unable to understand how it exactly works? and how can i navigate user login page on session expire?
It is working in InProc mode. I used it in same way and user is redirected to login on session expire.
But i am unable to accomplish same thing in SQLServer Mode.
I am unable to understand what i am missing?
I checked Session State and also found that Session timeout handled in SQLServer Mode
Edit :-
I want to redirect user to login page whenever another http request is executed for that session.
Ordinarily the browser has no idea what is going on on the server. Unless an HTTP round trip occurs, it will remember the state of the session from when the page was rendered.
In addition, you session cookie is probably HttpOnly, so there is no way for the page to check for the presence of a session cookie.
One way to accomplish what you want is:
Add a hidden iFrame to your page. Set the SRC of the iFrame to a handler in your web site
The handler doesn't have to do much except return a 200 OK, plus a refresh header set to a few seconds, so that the handler gets continually polled.
context.Response.AddHeader("REFRESH", "2");
Add framebreaker code to your login page
if (top.location != location) {
top.location.href = document.location.href ;
}
When a request for the handler occurs with an expired session, it'll get redirected to the login page via forms authentication; when the login page is returned, it'll break your iFrame and redirect the full window to the login page.
Or, you can do what everyone else does, which is wait for the user to request another page.
For me, changing the timeout value in the web.config file to anything didn't take place, and the reason was there were somehow some leftover old records in the ASPStateTempSessions table in ASPState database. I had to empty the table and only then my web.config changes took place. I wasted an hour trying to search for the cause so hope this helps someone.
So, run this:
delete from ASPStateTempSessions
Difference between InProc and SQLServer mode is that SQLServer relies on MSSQL job to remove the session. It actively doesn't prevent you from login again.
See Session State Providers
SqlSessionStateStore doesn't actively monitor the Expires field. Instead, it relies on an external agent to scavenge the database and delete expired sessions—sessions whose Expires field holds a date and time less than the current date and time. The ASPState database includes a SQL Server Agent job that periodically (by default, every 60 seconds) calls the stored procedure DeleteExpiredSessions to remove expired sessions.
In my application session will automatically expired when application is in still running mode.
In my page all hits are happens through ajax calls only.
By default, Session timeouts are set to expire in ASP.NET in 20 minutes. To increase the timeout or expiry you should change the timeout attribute for SessionState in the web.config file
<sessionState timeout="40" />
Note that if you are using Forms authentication, the Forms timeout setting will log the user out after the set timeout period so you will also have to adjust this attribute:
<authentication mode="Forms">
<forms timeout="40"/>
</authentication>
Use the following link for Session Timeout with popup alert message.
Session Timeout Example
We've got a huge problem.
We're using the Belgian eID (electronic identity card, this is a smart card). The Claim which is returned, is used by our Forms Authentication.
Everything works fine, but after 10 minutes (of activity or inactivity, doesn't matter), it automatically logs out.
Here the code fragment where we create the session:
private void CreateSession(ClaimsPrincipal transformedPrincipal)
{
SessionSecurityToken sessionSecurityToken = new SessionSecurityToken(transformedPrincipal, TimeSpan.FromHours(1));
FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(sessionSecurityToken);
}
In the Web.config, we set the session timeout:
<sessionState cookieless="false" timeout="60" />
On the IIS server, we set the Application Pool Idle Time-out to 8 hours.
We also set the Regular Time Interval of the recycling to 8 hours.
Quick hack:
Set the session 2 minutes later than the forms timeout. This ensures that the session is not killed on the exact second the authentication dies. But remember, sessions are independent of forms (see this blog) for more details.
<system.web>
<authentication mode="Forms">
<forms timeout="20" loginUrl="-- Login Page here --"/>
</authentication>
<sessionState mode="InProc" timeout="22"/>
</system.web>
Deeper investigation:
I would try and work out which one specifically is timing out. This is a fairly easy test, and will save you quite a lot of time.
So, the sections required are these with a timeout of 1 minute and session of 10000
<system.web>
<authentication mode="Forms">
<forms timeout="1" loginUrl="-- Login Page here --"/>
</authentication>
<sessionState mode="InProc" timeout="10000"/>
</system.web>
So login, browse to a page, wait one minute and refresh the site and you should see the login page.
In your favourite browser, open a developer toolbar and browse the cookies that are stored for this site. There should be 2 cookies:
ASP.NET_SessionId - to track your session
.ASPXAUTH - to track your login (unless your browser has deleted it due to expiration)
You should see that the expiration time for the session (ASP.NET_SessionId) is in the future, but the form (.ASPXAUTH) has expired.
Login again, and your session should be the same as before.
Reverse the settings and you should find the reverse is happening i.e you are logged in a for a long period of time, but it is resetting.
Tracing the session end event
One more you can try is in your global ASAX. Make sure your sessionMode='InProc' in your web.config and add a method:
// Only works with sessionMode='InProc'
protected void Session_End(object sender, EventArgs e)
{
if(Debugger.IsAttached)
Debugger.Break();
}
The breakpoint will hit when the session dies, which you may be able to track back via the call stack to the exact reason why is has expired. This can come about when code calls Session.Abandon() as well.
Can I write my code in the Session_End method when my session is timeout and I redirect users to the Login Page?
I am using Form Authentication method.
Currently I have create a "CheckSession()" method and calling on each page...
please suggest...
I've always placed the session check code in a master page for webform projects or, more recently, creating a base controller that has this method. Either way the goal is not to duplicate that code everywhere for obvious maintenance reasons.
I think you can manage this through settings in your web.config file without having to use code at all. Just ensure that the duration of your forms authentication cookie and your session are the same length. If your authentication session times out ASP.NET will automatically redirect a user to the login page.
Try:
<forms ... timeout="20" slidingExpiration="true" />
(slidingExpiration is true by default but I've specified it here because it must be true to replicate the timeout behaviour of sessions in ASP.NET)
and:
<sessionState ... timeout="20" />
In my web app I'm using some session variables, which are set when I login:
e.g. Session("user_id") = reader("user_id")
I use this through my app.
When the session variable times out, this throws errors mainly when connecting to the database as session("user_id") is required for some queries.
How can I set my session variables so that once they are timed out to go to the login page or how can at least increase the length of time the are available?
I'm guessing you're using Forms Authentication. The trick here is to ensure that your Forms Authentication expires before the session does.
I wrote about this in this answer here:
How to redirect to LogIn page when Session is expired (ASP.NET 3.5 FormsAuthen)
For example:
Configure your Forms Authentication - this sets the timeout to 60 minutes:
<authentication mode="Forms">
<forms defaultUrl="~/Default.aspx"
loginUrl="~/Login.aspx"
slidingExpiration="true"
timeout="60" />
</authentication>
Extend Session expiry to a longer time:
<sessionState
mode="InProc"
cookieless="false"
timeout="70"/>
In your Login.aspx code behind you could also do a Session.Clear(); to remove stale session data before assigning session values.
In the past I've used a base page or master page on every page (making an exception for the login page) that reads a session token to see if a user is logged in currently.
If it ever reads a null it saves the current url and redirects to the login page.
After logging in it reads the saved url and redirects the user back to the requested page.
Increasing the session timeout value is a setting in IIS.
How can I set my session variables so that once they are timed out to go to the login page
Check if they are = null do a Response.Redirect("Home.aspx");
or how can at least increase the
length of time the are available?
Its in the web.config within the sessionState element
I think a lot of people wrap their session calls to provide a "lazy load" pattern. Something like this:
class SessionHelper
{
public static string GetUserId()
{
string userId = (string)System.Web.HttpContext.Current.Session["UserId"];
if( userId == null )
{
userId = reader("UserId");
System.Web.HttpContext.Current.Session["UserId"] = userId;
}
return userId;
}
}