Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ASP.NET Session Timeout Testing

I'm a doing some blackbox testing of a ASP.Net website and I need to test different session timeout scenarios.

I'm not sure they fully encapsulated session timeouts. Other then leaving a page open for 20 minutes is there an easier way to force a session timeout?

like image 430
ctrlShiftBryan Avatar asked Oct 08 '08 20:10

ctrlShiftBryan


2 Answers

Decrease the timeout

The easiest and most non-intrusive way to test this is probably to just decrease the timeout to a fairly small number, such as 3 or 5 minutes. This way you can pause for a few minutes to simulate a longer pause without worrying about application restarts or special reset code having any affect on your test results.

You can modify the session state timeout in a few locations - globally (in the web.config located in the config folder for the applicable .NET framework version), or just for your application.

To modify the timeout just for your application, you can add the following to your application's web.config:

  <system.web>     <sessionState timeout="60" />    ... 

Alternatively, you can also modify this same setting for your application through an IIS configuration dialog (I believe you still need to have a web.config defined for your application though, otherwise Edit Configuration will be disabled).

To access this, right-click on your web application in IIS, and navigate to Properties | ASP.NET tab | Edit Configuration | State Management tab | Session timeout (minutes).

Note that you can also manipulate this setting through code - if this is already being done, than the setting in the web.config file will effectively be ignored and you will need to use another technique.

Call Session.Abandon()

A slightly more intrusive technique than setting a low timeout would be to call Session.Abandon(). Be sure to call this from a page separate from your application though, as the session isn't actually ended until all script commands on the current page are processed.

My understanding is that this would be a fairly clean way to test session timeouts without actually waiting for them.

Force an application restart

In a default configuration of session state, you can simulate a session timeout by blowing away the sessions entirely by causing the application to restart. This can be done several ways, a few of which are listed below:

  • Recycle the app pool through
    • the IIS MMC snap-in
    • the command-line (iisapp /a AppPoolID /r)
    • modifying web.config, global.asax, or a dll in the bin directory
  • Restart IIS through
    • the IIS MMC snap-in
    • services.msc and restarting the IIS Admin service
    • the command-line (iisreset)

When I mention "default configuration", I mean a web application that is configured to use "InProc" session state mode. There are others modes that can actually maintain session state even if the web application is restarted (StateServer, SQLServer, Custom).

Tamper with the state tracking mechanism

Assuming your web application isn't configured with a "cookie-less" mode (by default, cookies will be used), you could remove the cookie containing the session ID from the client browser.

However, my understanding is that this isn't really simulating a time-out, as the server will still be aware of the session, it just won't see anyone using it. The request without a session ID will simply be treated as an unseen request in need of a new session, which may or may not be what you want to test.

like image 156
J c Avatar answered Sep 23 '22 20:09

J c


Add a page to the site and call Session.Abandon()

like image 27
John Sheehan Avatar answered Sep 22 '22 20:09

John Sheehan