Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 850
  • Last Modified:

Gracefully handle session timeout on an ASP.NET page

I have a website that uses the ASP.NET membership model for security. While it works fine for the most part, I'm having trouble figuring out how to handle the case where the user is logged in but idle for a length of time. When this happens, they are automatically logged out of the system but the client shows no sign of this until the user tries to do something that posts back to the server. My question is in 2 parts:

1. How do I set the length of the timeout interval?
2. At session end, is there any way to force the client to act? Ideally, I need it to save any unsaved work and then redirect to the login screen. Less ideally, I at least need it to show the user that the session has timed out either by a Javascript message or page redirect.

Thanks,

Russ Suter
0
Russ Suter
Asked:
Russ Suter
  • 3
  • 2
1 Solution
 
jklNYCCommented:
1. you can set the session timeout value in the web.config. default timeout for iis and .net is 20 minutes.
<sessionState mode="InProc" cookieless="false" timeout="20"/>

2. this one can be a little more complicated but can be achieved using ajax. create a javascript function that runs on the page, continuously (every 60 seconds?). this function should make an asynchronous call to another aspx page. the sole action on that page should be to check the session object to determine whether or not the session has ended. that page should return a true/false value back to the calling javascript function. then you can process the "false" response accordingly.
0
 
Russ SuterAuthor Commented:
I'm sorry I haven't looked at this solution for a little while. I've been dealing with other emergencies and, in the last few days, brush fires (I live in So Cal).

Thank you jkINYC for your response. I am intrigued to learn more about how you would implement the 2nd part of what you proposed. Do you have an example of how I could accomplish this?
0
 
jklNYCCommented:
Here's one way to implement #2.

Once the user is successfully authenticated and logged in, create a session variable, maybe ["IsLoggedIn"], and set the value to "true".

Create a simple asmx (CheckLogin.asmx) page whose sole purpose is to return the value of session["IsLoggedIn"]. just ouput that variable value to the response.

On all other pages, create a javascript function which does an asynchronous (ajax) call to that page (CheckLogin.asmx).  Then check the response value of that asynch call. If the response value is "false", then show some kind of pop-up or something to let the person know their session has timed out.

That's it.


As for setting the timeout interval, that can be done in the web.config, in the forms authentication section. I think the default setting is 20 minutes.
0
 
Russ SuterAuthor Commented:
While I know C# quite well, I'm not very well versed in Javascript. What might the AJAX call look like?
0
 
jklNYCCommented:
this javascript below code should work for you.  you would call the ajaxSubmit method, and pass in the url of the asmx page. something like  

ajaxSubmit('GET', 'CheckLogin.asmx');



==========================

var xmlHttp;

function initAjax()
{
    try
    {
        // Firefox, Opera 8.0+, Safari
        xmlHttp=new XMLHttpRequest();
    }
    catch (e)
    {
        // Internet Explorer
        try
        {
            xmlHttp=new ActiveXObject("Msxml2.XMLHTTP");
        }
        catch (e)
        {
            try
            {
                xmlHttp=new ActiveXObject("Microsoft.XMLHTTP");
            }
            catch (e)
            {
                alert("Your browser does not support AJAX!");
                return false;
            }
        }
    }

}

   
function ajaxSubmit(method, url)
{
    initAjax();
   
    xmlHttp.onreadystatechange = checkLoginStatus;
   
    xmlHttp.open(method, url, true);
    xmlHttp.send(null);
}

function checkLoginStatus()
{
    if (xmlHttp != null && xmlHttp.readyState == 4)
    {
        if (xmlHttp.responseText == "true")
            //  still logged in. do something
        else
            //  no longer logged in. do something else.
    }
}

==========================
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now