locked
Catching an expired Session? RRS feed

  • Question

  • User292254219 posted

     I have an C# asp.net 2.0 application, I am trying to check for an expired session["userId"] and the appl deos not use cookies.

    I put this line of code in a base class (also tried the code in the Session_Start in the global - same issue), it triggers before I set the session Session["userID"]  in my default.aspx  page (so everytime I start the application, I get the expired message page)

    What am I missing?:

    override protected void OnInit(EventArgs e)
            {
                //initialize our base class (System.Web,UI.Page)        
                base.OnInit(e);
    
                ////check to see if the Session is null (doesnt exist)        
                //if (Context.Session != null)
                //{
                //    //check the IsNewSession value, this will tell us if the session has been reset.            
                //    //IsNewSession will also let us know if the users session has timed out            
                //    if (Session.IsNewSession)
                //    {
                //        //check if session is null               
                //        if (Session["userID"] == null)
                //        {    
                //            //the session has expired so we need to redirect them                    
                //            Response.Redirect("Errors.aspx");
                //        }
                //    }
    
                //}
            }
    On a side note, I see this code floating around (if a APP deos uses cookies, this code whould not work?):
     
     if (Session.IsNewSession)
        {
         // If it says it is a new session, but an existing cookie exists, then it must 
       // have timed out (can't use the cookie collection because even on first 
       // request it already contains the cookie (request and response
         // seem to share the collection)
         string szCookieHeader = Request.Headers["Cookie"];
         if ((null != szCookieHeader) && (szCookieHeader.IndexOf("ASP.NET_SessionId") >= 0))
         {
          Response.Redirect("sessionTimeout.htm");
         }  
        } 
    }
      
     
      
    Friday, June 27, 2008 4:33 PM

Answers

  • User1174340047 posted

    hi, chaumette@gmail.com

    because of the stateless of the HTTP, cookie is a way to save the state of the http requests. in the case of session cookie, without the cookie, the web server can not determine whether a given client has visited the side before. 

    when the  EnableSessionState of a page is true and there is session data saving in the page(without really session data saving, session cookie is not sent to the broswer even the EnableSessionState is set to true), the web server  appends a session cookie(name ) to the http response. The broswer receives the cookie and appends it to the subsenquent requests so that multiple requests coming from the same broswer can be recognized by the server.

    1). Where did you place it (Global.asx or BaseClass)? What event (preInt)?

    i recommend placing it at the early stage of the asp.net pipeline, as early as possible. That means you should detect the session timeout as early as possible, considering performance issue.

    i develop a http module to as the detector, AcquireRequestState is the earliest stage i found: 

    1        public class SessioinTimeoutDetector : IHttpModule
    2        {
    3            public void Init(HttpApplication context)
    4            {
    5    
    6                context.AcquireRequestState += new EventHandler(context_AcquireRequestState);
    7            }
    8    
    9            void context_AcquireRequestState(object sender, EventArgs e)
    10           {
    11               if (HttpContext.Current.Session != null && HttpContext.Current.Session.IsNewSession)
    12               {
    13                   if (HttpContext.Current.Request.Cookies != null && HttpContext.Current.Request.Cookies["ASP.NET_SessionId"] != null)
    14                   {
    15                       HttpContext.Current.Response.Redirect("SessionTimeout.aspx", true); 
    16                   }
    17               }
    18           }
    19           public void Dispose() { }
    20       }
    
    Another thing to notice, make sure the SessionTimeout.aspx's  EnableSessionState is false, otherwise infinite redirecting to the 
    SessionTimeout.aspx page occurs because the request to SessionTimeout.aspx satisfies the two "if" in context_AcquireRequestState().
     Hope this can help you. Thank you.
    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Saturday, June 28, 2008 1:46 AM
  • User-1107949042 posted

    Hi there,

    1) I added that code for each page preinit ( or your master page preinit)

    2) good question the reality is that the session information is saved by asp.net in this cookie then when client hitting back to server server detect the session by that.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Saturday, June 28, 2008 6:03 AM

All replies

  • User-1107949042 posted

    hi there,

    I am using this:

    if (Session.IsNewSession)

    {

    string szCookieHeader = System.Web.HttpContext.Current.Request.Headers["Cookie"];if ((szCookieHeader != null) && (szCookieHeader.IndexOf("ASP.NET_SessionId") > -1))

    {

    System.Web.
    HttpContext.Current.Response.Redirect("SessionTimeout.aspx", true);

    }

    }

    and it is working perfectly

    you may use this in Pare_PreInit

    Friday, June 27, 2008 6:08 PM
  • User292254219 posted

    Thank you Emady for your response. I have 2 questions:

    1). Where did you place it (Global.asx or BaseClass)? What event (preInt)?

    2). Are "Cookie" and "ASP.NET_SessionId" some type of asp.net global variables? What are they?  

    Friday, June 27, 2008 6:47 PM
  • User1174340047 posted

    hi, chaumette@gmail.com

    because of the stateless of the HTTP, cookie is a way to save the state of the http requests. in the case of session cookie, without the cookie, the web server can not determine whether a given client has visited the side before. 

    when the  EnableSessionState of a page is true and there is session data saving in the page(without really session data saving, session cookie is not sent to the broswer even the EnableSessionState is set to true), the web server  appends a session cookie(name ) to the http response. The broswer receives the cookie and appends it to the subsenquent requests so that multiple requests coming from the same broswer can be recognized by the server.

    1). Where did you place it (Global.asx or BaseClass)? What event (preInt)?

    i recommend placing it at the early stage of the asp.net pipeline, as early as possible. That means you should detect the session timeout as early as possible, considering performance issue.

    i develop a http module to as the detector, AcquireRequestState is the earliest stage i found: 

    1        public class SessioinTimeoutDetector : IHttpModule
    2        {
    3            public void Init(HttpApplication context)
    4            {
    5    
    6                context.AcquireRequestState += new EventHandler(context_AcquireRequestState);
    7            }
    8    
    9            void context_AcquireRequestState(object sender, EventArgs e)
    10           {
    11               if (HttpContext.Current.Session != null && HttpContext.Current.Session.IsNewSession)
    12               {
    13                   if (HttpContext.Current.Request.Cookies != null && HttpContext.Current.Request.Cookies["ASP.NET_SessionId"] != null)
    14                   {
    15                       HttpContext.Current.Response.Redirect("SessionTimeout.aspx", true); 
    16                   }
    17               }
    18           }
    19           public void Dispose() { }
    20       }
    
    Another thing to notice, make sure the SessionTimeout.aspx's  EnableSessionState is false, otherwise infinite redirecting to the 
    SessionTimeout.aspx page occurs because the request to SessionTimeout.aspx satisfies the two "if" in context_AcquireRequestState().
     Hope this can help you. Thank you.
    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Saturday, June 28, 2008 1:46 AM
  • User-1107949042 posted

    Hi there,

    1) I added that code for each page preinit ( or your master page preinit)

    2) good question the reality is that the session information is saved by asp.net in this cookie then when client hitting back to server server detect the session by that.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Saturday, June 28, 2008 6:03 AM
  • User1418460105 posted

    This is very helpful to me also. Just one question here,

    I am using a html file here to redirect my page in place of "SessionTimeout.aspx", so can i apply that EnableSessionState=False in html file also, or i have to create a aspx file for that. Because i am facing that problem of redirecting again and again.

    Thanks,

    Gaurav

    Thursday, September 26, 2013 3:55 AM