Menu
I've seen multiple articles like this one that explain how to detect that a user's session has timed out. And for clarity's sake, these articles are referring to the timeout value defined by this web.config line:
<sessionState mode="InProc" cookieless="UseDeviceProfile" timeout="120" />
Not to get into that method too much, but this involves checking that Session.IsNewSession is true and that a session cookie already exists. But I haven't seen any articles on how to detect authentication timeout -- the one defined by this web.config line:
<authentication mode="Forms">
<forms loginUrl="~/Home/Customer" timeout="60" name=".ASPXAUTH" requireSSL="false" slidingExpiration="true" defaultUrl="~/Home/Index" cookieless="UseDeviceProfile" enableCrossAppRedirects="false"/>
</authentication>
Multiple articles online, including this SO post, have said that your Session timeout value should generally be double your Authentication timeout value. So right now, as above, my Session is 120 and my Authentication is 60. This means that I'll never get in a situation where the Session has timed out, but the user is still Authenticated; if the user ever times out, it will be due to Authentication, not Session.
So, like everyone else, I'm interested in how to report to the user that their session has timed out (but really it'll be due to the Authentication timeout). Does anyone know of a way to accomplish this, or any resources online that can point me to a solution?
217
As you can see, for both attributes we’re using a session variable holding the user name as an indication if a session timeout occurred. We’re checking to see if either the browser session or the authentication has expired.
System.TimeSpan currentTimeout = formsAuthentication.Timeout; // Set the Timeout. formsAuthentication.Timeout = System.TimeSpan.FromMinutes (10); Gets or sets the amount of time, in minutes, allowed between requests before the session-state provider terminates the session. Configures the session state for a Web application.
There’s a lot more than meets the eye when you need to handle session and authentication timeout scenarios in ASP.NET MVC. For some reason, I expected this to be a no-brainer when I first worked on an app that needed this functionality. Turns out there several complications that we need to be aware of.
And here is the code for my NavigateToLoginPage () method, where the parameter true means “alert the user that a timeout has occurred” : On the Login.aspx page, I look for the QueryString parameter of “mode” with a value of “timeout” and display this beautiful yellow <div> to tell the user what has happened.
This is probably not the optimum approach, but here's something I thought of.
On login, record a timestamp in the session marking when the user logged in. On each subsequent request (maybe in the global.asax BeginRequest?), compare this timestamp to the current time, and match this up with the authentication timeout (Scott Hanselman explains how to read it here).
That's my "off top of my head" thought anyhow...
55
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
