URGENT : ASP .NET cookieless session timeout

[Nick]

Hi

I am a little stuck. I have a web app which uses cookieless session
management. I would like to inform a user when their session has
ended but cannot work out how to implement. I thought of placing a
redirect into the Session_End method in the global file but this does
not work.

To my understanding a session will end when it has been idle for the
time specified in the web.config file. The user may still have the
browser open and decide to continue using the site after the session
has ended because they are not aware that the session has actually
ended. I would like to inform them that their session has ended once
they submit their next request and give them a set of options and or
messages.

PLEASE HELP. This is kind of urgent.

Thanks

Tecknickal

 

[Hans Kesting]

Hi

I am a little stuck. I have a web app which uses cookieless session
management. I would like to inform a user when their session has
ended but cannot work out how to implement. I thought of placing a
redirect into the Session_End method in the global file but this does
not work.

To my understanding a session will end when it has been idle for the
time specified in the web.config file. The user may still have the
browser open and decide to continue using the site after the session
has ended because they are not aware that the session has actually
ended. I would like to inform them that their session has ended once
they submit their next request and give them a set of options and or
messages.

PLEASE HELP. This is kind of urgent.

Thanks

Tecknickal

This seems to be a "frequently asked question".

No, you can't redirect from Session_End, because a redirect needs
a Request to redirect and Session_End is not started by a request.
You can't just "push" a redirect to the browser because you also have
no way to know if that browser is still open, and showing your page.
(The user might have closed his browser or navigated to some other site)

There are two things you can do:
- use a <meta http-equiv=refresh> to redirect the browser to a "you are logged out"
page, after the timeout should have expired.
- on every request, check specific session variables. If they don't exist it's
either a new user or an expired session.

Hans Kesting

 

[teck nickal]

Hi Hans

Thanks for the quick reply. When you say :

use a <meta http-equiv=refresh> to redirect
the browser to a "you are logged out" page,
after the timeout should have expired.

How do I go about doing this? How do I know when the timeout should have
expired? Isn't the timeout used to timeout sessions when they have been
idle for the set amount of time?

You also stated :

on every request, check specific session
variables. If they don't exist it's either
a new user or an expired session.

I was thinking of setting the sessionId as a hidden form variable within
every form. Since ASP .NET creates a new session automatically if the
previous session does not exist. That way I can check to see whether
the hidden sessionId on the form is equal to the current sessionId, if
not, it has expired or something similar.

Do you think this is a good idea?

Thanks

Tecknick

 

[Hans Kesting]

Hi Hans

Thanks for the quick reply. When you say :

use a <meta http-equiv=refresh> to redirect
the browser to a "you are logged out" page,
after the timeout should have expired.

How do I go about doing this? How do I know when the timeout should
have expired? Isn't the timeout used to timeout sessions when they
have been idle for the set amount of time?

The counter starts when the last (current) page has been sent to the browser.
You know that the server-side timeout is 20 minutes (or whatever you changed it into).
Then you can set the refresh-timeout to the same timespan (or slightly more).
As you don't change that timeout often (I hope), you could hardcode this
into your aspx page.
Note: refresh uses a timeout in seconds.

You also stated :

on every request, check specific session
variables. If they don't exist it's either
a new user or an expired session.

I was thinking of setting the sessionId as a hidden form variable
within every form. Since ASP .NET creates a new session
automatically if the previous session does not exist. That way I can
check to see whether the hidden sessionId on the form is equal to the
current sessionId, if not, it has expired or something similar.

Do you think this is a good idea?

Form variables work only when there is a postback. A click on a link
will not send the form variables (or a viewstate). I was thinking more
along the lines of a "isloggedin" session variable. If that isn't present, then
it's a new session.
I wonder, if you use cookieless sessions, can you read the original session-id
from the querystring?

Hans Kesting

 

[teck nickal]

Hi Hans


Thanks again for the reply. The meta refresh would be great except if
javascript is disabled then the refresh would not occur. I have decided
to use the Session.isNewSession object.

When the user hits the first page this property should be set to true
indicating that a new session has been created. If they are on the
first page of my site and this is true, that is ok. If they are on a
page other than my first page and this is set to true then I know that
either their session timed out or that they landed on the page first
before starting at my start page. In both cases, I will display a
message to inform them of this a redirect them to the start up page.

Thanks for you help and ideas.

Tecknickal