Managing Session Timeouts in ASP.NET when using ASP.NET GenericHandlers - asp.net

For example I have a web application using jQuery as a framework on the client side. Now most of the pages are functional by means of using AJAX and communicate to the server by means of using Generic Handlers (.ashx).
Now I have a problem that I am asking this to see what is the best solution for handling these request when my user session expires.
For example, a user logged in, left his browser for 15 minutes and then he pressed a button that this will create a request to the handler, now from the server side when I try to read a session variable obviously it will be empty (session expired). What is the best way to redirect the user back to the login page.

We address this situation by a slightly different approach. Instead of trying to make all the jQuery calls deal with this kind of error condition, we have implemented a parallel timeout system on the client using javascript. A minute before the ASP.NET Session would time out, we pop up a dialog on the browser to warn the user "You have been inactive and are about to be logged out. Click here to remain logged in." We included a little countdown in the dialog also. If they click to stay logged in, we send another jQuery call to the server to reset the session timeout.
So, unless the user has javascript disabled (in which case, the app doesn't work anyway), there is not a possibility that we make a jQuery call after the ASP.NET session has timed out.

Related

How to catch user closed window without logging out of application

My requirement is user should not log in from multiple browser or system simultaneously in application. For this I maintained the flag in database, so whenever user is logged in I am updating flag as yes and when he logged out I am updating it as no.
My issue is if user close the browser window without logging out from application then I am unable to update the flag. So next time when user try to logging in application, It is saying user is already logged in.
I tried using Onbeforeunload event in master page, but whenever I am changing the menu in my application. It is firing that event. For updating the flag I used page methods. But this is not working properly.
I would say, send often via a ajax call to your API that a 'ping' to confirm you are still online. If there is no ping or page change after 3 minutes, I consider the user has been logged off and it sets him as "logged off" in database.
At least, I do this using javascript, but i'm sure you can also in your client-side part of the ASP.NET app you are making.
You can't handle this only by client-side code, using e.g. beforeunload, because the page/browser may be closed for many reasons (e.g. lack of electricity).
What you can do is:
Scheduler on your backend which verifies whether an user did some action since e.g. 1min. In that case you have to update information about user action in your DB after every ajax requests (Hugo Regibo suggested ping requests).
Disadvantage od this solution is this period - when an user turns off the page then he will be not able to log in again for 1min.
Instead of a scheduler you can verify logged-in users (I assume you keep them in a DB table) after each requests.
Use web sockets, you will have continuous connection and you will be notified about closed connection immediately. Disadvantage of this is web sockets don't scale so good as stateless HTTP.
Besides that I don't know whether you use iis with a session provider or not? And when an user closes the page and opens it again should be able to log in with his saved credentials. You should write more of how your project looks like.
I would do it by saving a Session object for each login call. A session ID would then be stored in the user's cookie or authentication token. Each call to the system would validate the user via their session ID. If that session has been invalidated, they just get sent to the login prompt. Whenever the user logs in, it invalidates all of their other sessions.
This way the user could be in their browser on their machine, navigate away, close the browser, and come back to find their session still alive without having to log back in. But, if they log into another machine, then their old session would be invalidated.

MVC manage session

I am using an MVC app to manage authentication. The issue I have is with chrome because it never actually kills the session because it runs in the background after it closes by default. I do not want to enforce all the end users to change this setting because then it will kill hangouts etc.. So I am wondering if I can use any standard web.config setting to handle this or do I need to make an ajax polling interval to keep updating the cookie expiration?
The ASP.NET session consists of 2 components the client-side http session cookie and the server's session storage provider. Suppose user has SessionId 1. If you delete session 1 from the server, the user returns and a new session is created with SessionId 1. If the user deletes the session cookie, the server keeps running session 1.
What you're asking for is generally not possible. There's no way you can force a user to send a request to your server when they are exiting your site or the browser. There is the javascript beforeUnload event which in some situations would allow you to send a request to /sign-off in some situations. The obvious limiter is no network access = no message.
The standard resolution for orphaned sessions is for session scavenging policy to clean them up. Some developers choose to use persistent storage to eliminate scavenging altogether such that a shopping cart would never disappear.
The only reasonable solution (which is still overkill) that would reach your goals. You use SingalR for a persistent connection of the user to the server and you ping them from the server. If the connection fails to respond you abandon the session. This will be a fragile process and if you don't make very very sure the user is disconnected you will have lots of support calls from users wondering why they are continuously logged out while browsing your site on cell phone.

ASP.NET LoginStatus control shows "Login" even though logged in

In my ASP.NET project, I am using Forms authentication. My main.master using LoginStatus control and web.config is set up for "Forms" authentication mode.
Before I log in, the control shows the text as "Login." After I log in, the control shows the text as "Logout." This is expected. However, after clicking around on a few links within the site, the control suddenly starts showing "Login" although I am still logged in. The session is still alive as some of the pages I visit dumps some session information.
Would appreciate if something can point me in the right direction. Regards.
If you are trying to redirect after setting a Session variable using
Response.Redirect("YourPage.aspx");
this may be causing the session token to gets lost, try using the overloaded version of Redirect:Response.Redirect("~/YourPage.aspx", false);
Another problem also may be miss configuration of application pool. If the application pool is configured as a web farm or a web garden (by setting the
maximum number of worker processes to more than one) and if you're
not using the session service or SQL sessions, incoming requests will
unpredictably go to one of the worker processes, and if it's not the
one the session was created on, it will get lost.
The solutions to this is either not to use a web garden if you don't need the
performance boost, or use one of the out of process session
providers.
For more information you can check the link of the original article below: http://weblogs.asp.net/bleroy/Don_2700_t-redirect-after-setting-a-Session-variable-_2800_or-do-it-right_2900_

SignalR Chat on almost all pages of site

I develop SignalR (1.1.2) chat for our corporative site (ASP.NET) and I don't know how place it for almost all pages of site. I have the next questions:
Online/offline states of users change when users move on other page.
In my chat state setting performs on OnConnected/Ondisconnected callbacks in my Hub class and it call when users move on other page.
Should I initialize SignalR with $.connection.hub.start().done on ALL pages? May be are there workarounds?
What does cross-domain mean? I don't understand this definition.
What logic should I move in OnReconnected callback in my Hub class?
Thanks in advance.
Sounds like you are trying to use SignalR in the wrong way.
You are going to have to start the hub every time you change page unless your application is a single page application. E.g. All run via JavaScript on one page.
When you change page, you are effectively closing down the SignalR connection to the hub, then you will need to start it on the next page. This will raise the Disconnect event.
Each time you connect, your user will be given a new ConnectionID, so their online/offline status will change depending on how you are handling this.
The only work around would be to create a Single Page application.
Cross-Domain means that you are calling the SignalR methods on another URL from the client.
Within your OnReconnected callback you might want to just write some logic that notifys a user that they have been reconnected.

closing all web pages on session time out

When a session is timed out in asp.net application, we need to close all the web pages those are already opened by a user.
Each page has sign out link. When the user click on that link, the home page is redirected to that page.
In this case, the other opened pages also needs to be closed.
How can we do this?
For all pages:
AJAX call back to server to check whether Session has expired.
Parse result from AJAX
If session ended then close window or redirect to logged out page.
On the second thought... we can use what #thephpdeveloper said, particularly when user signs out formally... (like clicking the signout button) Once After a formal Sign out happens... Such Ajax Call back can be used, cause the session will be valid but there will not be any user... Using this we can signal the page and close the browser window
As Razzie commented, doing an AJAX callback to the same web-application will keep the session alive. Using a web-service also won't solve the problem.
This solution avoids keeping the session alive:
Store every session in the database. This could be done in the Session_Start event in the Global.asax or after the log-in.
Delete timed-out sessions from the database in the Session_End event in your Global.asax file or after the log-out.
Do a periodical AJAX callback to a different web-application, e.g. a web running on a sub-domain, to check in the database if the session still exists.
I suggest you use the SessionID to identify the sessions.

Resources