Redirect on session_end



Keywords: session, asp.net, timeout, custom control
Description: We often get forum posts here asking "How can I tell if a user's Session is timed out, and perform some action in response" Often this involves the incorrect assumption that the Session_End event can be used for this. ASP.NET implements a rolling timeout mechanism that extinguishes the session information for a user if no request is received within the timeout period.?. I'll cover the following topics in the code samples below: Session, ASP.NET, Timeout, and Custom Control.

We often get forum posts here asking "How can I tell if a user's Session is timed out, and perform some action in response?" Often this involves the incorrect assumption that the Session_End event can be used for this. ASP.NET implements a rolling timeout mechanism that extinguishes the session information for a user if no request is received within the timeout period.

Session_End happens on the server automatically regardless of whether a user has requested a page, so the idea of using it to do anything other than cleanup-type operations is a mistake; it is independent of the page lifecycle and there is no active Request or Response object to access there.

It is often important for the business logic of an ASP.NET site to know for a particular request if the user’s session information is valid (e.g. a timeout has not occurred). Without this technique it is difficult to know, when a session variable is not found, whether it was never set properly or that the user simply waited too long between requests. Logic normally dictates that if a session is expired, any saved state needs to be recycled back to its starting state, and typically the user should also be required to re-authenticate to the site in order to enable them to start whatever process they abandoned again from the beginning.

ASP.NET developers habitually reference Session variables without ever checking for null first to see if they are actually present, which causes the "Object reference not set" exception. That yellow error page doesn't look very professional to the user, either.

So, I set out to do some more research and see what solutions might be possible. One of the ideas I got was that a site-wide session-expiry mechanism might be overkill, since usually only certain pages (such as those involved in a shopping cart) are involved in the need for protection against expired sessions. That's what brought me to think of the idea of a "drop on the page" Session Timeout "Detect and Redirect" Control. You should be able to just drop it on the pages that need it, set the redirect url, and you would be "good to go". If you do not need a page-specific solution, you can just use the Base Page class approach, or if you don't want to use a base Page class, instead you could write an HttpModule to do this and register it in web.config.)

The only credible information I found came from a source whose work I have relied on before, Robert Boedigheimer. In sum, what Robert found was that the ASP.NET HttpSessionState class's IsNewSession( ) method returns true if a new session was created for a given request. If this is a new session but the ASP.NET_SessionId cookie is present, this indicates a timeout situation. You may need to think about this for a while, but eventually the logic should make sense. In addition, he determined that one must access this cookie from the Request Headers collection rather than the expected Cookie collection. This is because the intrinsic Response.Cookies and Request.Cookies objects actually share the same collection, and in this test we only want to inspect the actual cookie from the Request Headers.

With this information in hand, it was very easy to create a "non-visible" ASP.NET Server control that would hook and override a late Page LifeCycle event, PreRender, to perform this check. Add a public property for the RedirectUrl, call SignOut on any Forms Authentication to force the user to login to the site over again, and send them to the login page. Let's take a look at the code for the control:

ToolboxData( "<<0>:SessionTimeoutControl runat=server></<0>:SessionTimeoutControl>" )]






Photogallery Redirect on session_end:


Asp.net


As pnet


ASP (Active Server Pages)


Vunvulea Radu Tech Wall: September 2014


Vunvulea Radu Tech Wall: Scaling Units - Having resources outside ...


Vunvulea Radu Tech Wall: Visual Studio Online and Team City - How ...


Vunvulea Radu Tech Wall: Entity Framework - Hybrid Code First


Vunvulea Radu Tech Wall: April 2014


Vunvulea Radu Tech Wall: How to use Diagnostic Monitor on Windows ...


Vunvulea Radu Tech Wall: Screen Sharing using Service Bus Relay ...


Iniciar y Chequear Sesion en asp.net


Vunvulea Radu Tech Wall: Load Test using Windows Azure and Visual ...


CoreApp Blog | Ing. Sistemas Luis M. Corea C. 7016-3145 | Pgina 4


Vunvulea Radu Tech Wall: Design a state machine mechanism using ...


CoreApp Blog | Ing. Sistemas Luis M. Corea C. 7016-3145 | Pgina 4


CoreApp Blog | Ing. Sistemas Luis M. Corea C. 7016-3145 | Pgina 4


ASP.NET Guia de desarrollo de sitios y aplicaciones web dinamicas


ASP.NET Guia de desarrollo de sitios y aplicaciones web dinamicas