Detecting Session Timeout And Redirect To Login Page In ASP.NET

This is example of Detecting Session Timeout and Redirect to Login Page in ASP.NET, session timeout occurs when user is idle for the time specified as in web.config file.

For this i've set time out value in web.config to 1 minute.

1st Method
In web.config file, set the sessionstate mode to inproc and authentication mode to Forms
<system.web>
<compilation debug="true"/>
<authentication mode="Forms"/>
<sessionState mode="InProc" cookieless="false" timeout="1">
</sessionState>
</system.web> 


I've created three pages in this example , one is login page , when session expires , i redirect to this page , one is navigation page where i'll check if session is valid or not , if it is valid than only user will see this page other wise he gets redirected to login page.

Add Global.asax class file in root of your application or website.
This method works only if Global.asax is present in application.


Write below mentioned code in Page_Init event of the page where we want to check for session timeout.

we can also put this code in in a class and inherit all pages of application from this class acting as base class for all pages to check for session timeout.

C# CODE
protected void Page_Init(object sender, EventArgs e)
    {
        if (Context.Session != null)
        {
            if (Session.IsNewSession)
            {
                HttpCookie newSessionIdCookie = Request.Cookies["ASP.NET_SessionId"];
                if (newSessionIdCookie != null)
                {
                    string newSessionIdCookieValue = newSessionIdCookie.Value;
                    if (newSessionIdCookieValue != string.Empty)
                    {
                        // This means Session was timed Out and New Session was started
                        Response.Redirect("Login.aspx");
                    }
                }
            }
        }
    }

VB.NET
Protected Sub Page_Init(sender As Object, e As EventArgs)
 If Context.Session IsNot Nothing Then
  If Session.IsNewSession Then
   Dim newSessionIdCookie As HttpCookie = Request.Cookies("ASP.NET_SessionId")
   If newSessionIdCookie IsNot Nothing Then
    Dim newSessionIdCookieValue As String = newSessionIdCookie.Value
    If newSessionIdCookieValue <> String.Empty Then
     ' This means Session was timed Out and New Session was started
     Response.Redirect("Login.aspx")
    End If
   End If
  End If
 End If
End Sub


2nd Method.
Code for Default.aspx
<%@ Page Language="C#" AutoEventWireup="true"
CodeFile="Default.aspx.cs" Inherits="_Default" %>

<!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title>Untitled Page</title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:Button ID="btnSessionStart"
runat="server"
OnClick="btnSessionStart_Click"
Text="Start Session" /><br />
<br />
<br />
<asp:Button ID="btnCheck"
runat="server"
OnClick="btnCheck_Click"
Text="Check Session ID" />
<br />
<asp:TextBox ID="txtSession"
runat="server"
Width="266px">
</asp:TextBox><br />
<br />
<asp:Button ID="btnGO"
runat="server"
OnClick="btnGO_Click"
Text="Go to Other Page" />
<br />
<br />
</div>
</form>
</body>
</html>

And the code behind for this page is like
protected void btnSessionStart_Click
(object sender, EventArgs e)
{
Guid Session_id = Guid.NewGuid();
Session["SessionID"]
= Session_id.ToString();

}
protected void btnCheck_Click
(object sender, EventArgs e)
{
if (Session["SessionID"] != null)
txtSession.Text =
Session["SessionID"].ToString();
else
txtSession.Text =
"Session has expired";
}
protected void btnGO_Click
(object sender, EventArgs e)
{
Response.Redirect("Default2.aspx");
}

On the page where we want to check the session has timed out or not, we need to check it in the Page_Init event of the page , if session is not null than user will be able to go to the page other wise he will be redirected to login page.

In this page I've just put a button to go to home page
<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title>Untitled Page</title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:Button ID="btnHome"
runat="server" OnClick="btnHome_Click"
Text="Home" /></div>
</form>
</body>
</html>

And the Code behind for this page is

protected void Page_Init(object sender, EventArgs e)
{
CheckSession();
}
protected void btnHome_Click(object sender, EventArgs e)
{
Response.Redirect("Default.aspx");
}

private void CheckSession()
{
if (Session["SessionID"] == null)
{
Response.Redirect("Login.aspx");
}

}

If we need to check this in all the pages of application than we can create a BaseClass and write the above mentioned code of CheckSession and Page_Init part and drive all ur pages from this class by typing BaseClassName in place of System.Web.UI.Page and it will check all pages for session timeout every time page is loaded


If you like this post than join us or share

16 comments:

Anonymous said...

Nice article.But hope u know about forms authentication,where asp.net will automatically redirect to login page,if login url is specified.There is no need for checking session like this in all pages.Thanks


Anonymous said...

Amit,

Forms Authentication just avoids this kind of checkin session inevery page. Also the Session State creating, removing is taken care automatically and you dont need to explicitly create. This technique is ASP Day technique.

Thanks,
Harish
http://geekswithblogs.net/ranganh


Anonymous said...

u can write your own httm module, that cheking if session expired, and if that happened you allow redirect to login page


Anonymous said...

Yeah I probably wouldnt do it like that!!! As mentioned, use what built in, rather than dodgy session checking. You are wasting server memory!


Anonymous said...

Forms authentication and Session are completely unrelated, and have very different purposes. Therefore, a method to detect a Session timeout is still very useful. I would do it in an HttpModule or in Global.asax though.


Josh Clark said...

Wouldn't it be better to use a base page class and build this method on your base page class...


Anonymous said...

In My opinion best place to check for session timeout would be the Global.asax file in the AcquireRequestState event.That removes the dependency on checking for every page.


Unknown said...

I have a related article but that uses the new Session.IsNewSession instead of checking a certain session object.


Nishanth Nair said...

Good article. However, it would be nice if you could write an article on how to tell the user that the page is going to expire in 2minutes or so as a popup. This happens without a postback on an idle page. eg. HSBC online banking website.


Anonymous said...

Nishanth Nair,

I have tried this in master page.

#region Session alert handling
bool implementSessionAlert = false;
try
{
implementSessionAlert = Convert.ToBoolean(ConfigurationManager.AppSettings["ImplementSessionAlert"]);
}
catch
{ /*do nothing */ }
if (implementSessionAlert)
{
Session[SessionKeys.UserSession] = DateTime.Now;
object objSection = ConfigurationManager.GetSection("system.web/sessionState");

// Get the section related object.
System.Web.Configuration.SessionStateSection sessionStateSection =
(System.Web.Configuration.SessionStateSection)objSection;


bool addAlert = true;
int minutesBeforePrefernce = 4;
try
{
minutesBeforePrefernce = Convert.ToInt32(ConfigurationManager.AppSettings["MinutesBeforePrefernce"]);
if (minutesBeforePrefernce >= sessionStateSection.Timeout.Minutes)
{
// TODO: log
addAlert = false;
}
}
catch
{ /*do nothing */ }

if (addAlert)
{
DateTime sessionStartTime = Common.GetSafeDateTimeFromSession(SessionKeys.UserSession);
DateTime alertAfterTime = sessionStartTime.AddMinutes(sessionStateSection.Timeout.Minutes - minutesBeforePrefernce);
TimeSpan alertAfter = alertAfterTime.Subtract(sessionStartTime);

string openBrace = "{";
string closBrace = "}";
string newLine = "\\\\r\\\\n\\\\r\\\\n";
string tab = "\\\\r";

string jscript =
string.Format("var timeOutId; timeOutId = setTimeout(\" var confirmResult = confirm('Session will end at {2} in {0} minutes. {5}{6}OK - to go to the landing page and start a new Session. {5}{6}Cancel - to stay on the current page. Canceling and interaction after session ends might cause unexpected results.'); if(confirmResult) {3} self.location = '.'; {4} /*else {3} alert(new Date().toLocaleTimeString()); {4}*/\", {1});",
minutesBeforePrefernce, alertAfter.TotalMilliseconds, sessionStartTime.AddMinutes(sessionStateSection.Timeout.Minutes).ToLongTimeString(), openBrace, closBrace, newLine, tab);

Page.ClientScript.RegisterStartupScript(
typeof(string),
"SessionTimeOutAlert",
jscript,
true);
}
}
#endregion


Anonymous said...

basically only these lines two matter.

string jscript =
string.Format("var timeOutId; timeOutId = setTimeout(\" var confirmResult = confirm('Session will end at {2} in {0} minutes. {5}{6}OK - to go to the landing page and start a new Session. {5}{6}Cancel - to stay on the current page. Canceling and interaction after session ends might cause unexpected results.'); if(confirmResult) {3} self.location = '.'; {4} /*else {3} alert(new Date().toLocaleTimeString()); {4}*/\", {1});",
minutesBeforePrefernce, alertAfter.TotalMilliseconds, sessionStartTime.AddMinutes(sessionStateSection.Timeout.Minutes).ToLongTimeString(), openBrace, closBrace, newLine, tab);

Page.ClientScript.RegisterStartupScript(
typeof(string),
"SessionTimeOutAlert",
jscript,
true);


Saiful Alam said...

This comment has been removed by a blog administrator.


Shakti Singh Dulawat said...

This comment has been removed by a blog administrator.


Unknown said...
This comment has been removed by the author.

Kiahui said...

Hi. Just want to ask , if i dont't want to see those check session things, jus want to make sure after login, it will session timeout after like 5-10 mins like that. Possible ?


xGs_Manco said...

how can i make itself but each minute check if is or not opened.


Find More Articles