Published:
02 Apr 2008
|
Abstract
In this article, Steve walks through the steps required to implement a Session Logged Out page that users are automatically sent to in their browser when their ASP.NET session expires. He examines each step with the help of detailed explanation supported by relevant source code. |
 |
by Steven Smith
Feedback
|
Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days):
6169/
866
|
|
|
|
| Introduction |
In many applications, an authenticated user's session
expires after a set amount of time, after which the user must log back into the
system to continue using the application. Often, the user may begin entering
data into a large form, switch to some other more pressing task, then return to
complete the form only to find that his session has expired and he has wasted his
time. One way to alleviate this user interface annoyance is to automatically redirect
the user to a "session expired" page once their session has expired. The
user may still lose some work he was in the middle of on the page he was on,
but that would have been lost anyway had he tried to submit it while no longer
authenticated. At least with this solution, the user immediately knows his
session has ended, and he can re-initiate it and continue his work without any
loss of time.
|
|
|
|
|
Article Feedback
User Comments
Title:
Check IsAuthenticated
Name:
Steve Smith
Date:
4/25/2008 8:18:20 AM
Comment:
@sessio- just check if they are logged in and only emit the meta refresh tag if they are.
|
Title:
sessio
Name:
liju
Date:
4/25/2008 12:34:24 AM
Comment:
hey, i have 1 prob.my site contains pages, into which i can go before login as well as after login.so how can i implement redirect to an expire page.aspx on session time out.
thanks in advance
|
Title:
Language resource file not read correctly
Name:
Mamdouh
Date:
4/23/2008 11:32:19 AM
Comment:
I have a bi-lingual application and i have used your approach and it works but it reverses the language. Could you tell me please how to read the language to display the page with specially that you know that the session is vanished. Note that i have used the cookies to store the language into it but the SesionExpired page still display in one language.
|
Title:
p.k.srivastava
Name:
jack
Date:
4/11/2008 3:36:44 PM
Comment:
worthless
|
Title:
Re: Master Page Still Worthwhile
Name:
Richard
Date:
4/9/2008 10:23:37 AM
Comment:
@Steve,
If you only want a module to apply to specific folders or pages, you can configure it within a location element in the web.config file:
http://msdn2.microsoft.com/en-us/library/b6x6shw7.aspx
|
Title:
Master Page Still Worthwhile
Name:
Steve
Date:
4/4/2008 1:04:02 PM
Comment:
@Richard,
You still want to use the master page, rather than a generic module, unless the entire site requires authentication. Usually it doesn't, and you don't want users coming to your home page and being sent to a session expired or login page.
|
Title:
Re: Refresh Meta Tag - not required
Name:
Richard
Date:
4/4/2008 12:18:53 PM
Comment:
Using Rick's suggestion, you don't even need a master page - you can add the header from an HttpModule instead.
private void Application_PreSendRequestHeaders(object sender, EventArgs e)
{
HttpContext context = ((HttpApplication)sender).Context;
if (null != context.Session)
{
context.Response.AddHeader("Refresh",
string.Format("{0};url={1}",
60 * context.Session.Timeout,
SessionExpireDestinationUrl));
}
}
|
Title:
Re: Refresh Meta Tag - not required
Name:
Rick Strahl
Date:
4/4/2008 4:13:38 AM
Comment:
@Steve - Nice.
One thing though: you can actually skip the meta tag and use the Refresh HTTP header that it simulates which is a bit easier:
Response.AddHeader("Refresh","6;Page.aspx");
More detail here:
http://www.west-wind.com/WebLog/posts/6841.aspx
|
Title:
Good Point
Name:
Steve Smith
Date:
4/3/2008 9:33:40 AM
Comment:
@Herman - That's a fair point; this solution pretty much assumes that interactions that are maintaining the session are also generating new pages. If that is not a valid assumption for the application (e.g. it does a lot of AJAX or Flash/Silverlight interaction), then this approach would need to be tweaked a bit. The simplest change at that point would be to use AJAX to call back on a timer to see if the session is active, and if not, redirect. Perhaps I'll write a follow-up to demonstrate this technique, but it's not nearly as simple as this one and this one will work in a huge number of cases that don't make heavy use of AJAX.
|
Title:
Doesn't actually have anything to do with sessions
Name:
Herman
Date:
4/3/2008 7:57:30 AM
Comment:
You only provide a way to refresh a page. Wether the session has expired by then or not is something you don't even check.
Any AJAX or other activities like opening another tab for the same website postpone the session and your refresh counter will fail completely, telling the user the session has expired even though it is not.
|
Title:
Worthless?
Name:
Steve Smith
Date:
4/2/2008 11:48:26 AM
Comment:
Anon - Thanks for your feedback, but clearly there are others who disagree, and not all that we publish is targeted at advanced developers. Sometimes simple things have value, too. I hope, for the most part, the content you find on this site is valuable to you, and if it isn't, that it is valuable to others. Take care.
|
Title:
Worthless
Name:
Anon
Date:
4/2/2008 5:53:07 AM
Comment:
This post is completely worthless. ASP Alliance should take care of the newly posted articles.
|
Title:
Great & Thx
Name:
Steven Kimpe
Date:
4/2/2008 5:46:29 AM
Comment:
A realy nice short piece of code! I've implemented the code straight away into one of our websites. Thx again!
|
Title:
another way
Name:
Vahid
Date:
4/2/2008 4:47:10 AM
Comment:
protected void Page_Load(object sender, EventArgs e)
{
if (!Page.IsPostBack)
Response.AppendHeader("Refresh", ((Session.Timeout * 60) + 5).ToString() + "; Url=login.aspx");
}
|
Title:
Good article!
Name:
Satheesh babu
Date:
4/2/2008 4:11:04 AM
Comment:
Nice article..It is quiet neat and simple!
Regards,
Satheesh
www.codedigest.com
|
|
Product Spotlight
|
|
|
