How to implement or configure hard session expiry in ASP.NET?

Question

I can set a 20 minutes timeout for the sessions which means if the user doesn't make a request within the 20 minutes period, his/her session expires.

<sessionState timeout="20" />

But what I need is to be able to expire the session after a certain time no matter the user is still sending requests.

For example, after 4 hours the session must be expired no matter the user sends another request or not; that's to prevent malwares to abuse the default session behaviour...

How to configure or implement it in ASP.NET?

I hoped there would be a config setting but I couldn't find one?

Many thanks

score 1 · Answer 1 · answered Oct 31 '12 at 13:04

There is no configuration setting for this requirement as it is rather unique.

You can implement this by issuing a cookie to the client when it first connects - check this cookie on every request and start rejecting it when 4 hours have passed. You can either store this start time in a cookie or in a Session variable.

score 0 · Answer 2 · edited May 23 '17 at 12:27

As Oded mention you should also store the first login time in session on session start event. and when you are reading the session check the time and use Session.Clear();

and easy way the check session start time access it using a global property.

public User CurrentUser
{
    get 
    {
         User user = (User)Session["CurrentUser"];
         if (user.startTime > "4 hours") // you can do it what ever you want.
             Session.Clear(); //or .Abandon(); [Check Here][1]

         return (User)Session["CurrentUser"]
    }
}

Check Here

score 0 · Accepted Answer · answered Oct 31 '12 at 13:57

0

This has a code sample and exactly what I want:

http://pooyakhamooshi.blogspot.co.uk/2012/10/how-to-implement-hard-session-expiry-in.html

answered Oct 31 '12 at 13:57

The Light

26,341
62
176
258

How to implement or configure hard session expiry in ASP.NET?

3 Answers3