Get Session to expire gracefully in ASP.NET

Question

I need a way to tell ASP.NET "Kill the current session and start over with a brand new one" before/after a redirect to a page.

Here's what I'm trying to do:

1) Detect when a session is expired in the master page (or Global.asax) of an ASP.NET application.

2) If the session is expired, redirect the user to a page telling them that their session is expired. On this page, it will wait 5 seconds and then redirect the user to the main page of the application, or alternatively they can click a link to get there sooner if they wish.

3) User arrives at main page and begins to use the application again.

Ok, so far I have steps 1 and 2 covered. I have a function that detects session expiry by using the IsNewSession property and the ASP.NET Session ID cookie value. if it detects an expired session it redirects, waits five seconds and then TRIES to go to the main page.

The problem is that when it tries to redirect, it gets to the part in the master page to detect an expired session and it returns true. I've tried calling Session.Abandon(), Session.Clear(), even setting the session to NULL, with no luck.

Someone out there has had to have faced this problem before, so I'm confident in the community to have a good solution. Thanks in advance.

I'm not sure why you have a problem, why sould the IsNewSession be true when the main page is requested. By that time you've had a request to some page and then a request to the "Session expired" and then to main page. Why would IsNewSession still be true? — AnthonyWJones, Feb 03 '09 at 22:32

score 12 · Accepted Answer · answered Feb 03 '09 at 22:26

The problem you are describing happens because asp.net is reusing the sessionid, if the sessionid still exists in the auth cookie when you call abandon() it will just reuse it, you need to explicitly create a new sessionid afaik something like:

 HttpCookie mycookie = new HttpCookie("ASP.NET_SessionId");
    mycookie.Expires = DateTime.Now.AddDays(-1);
    Response.Cookies.Add(mycookie);

score 2 · Answer 2 · answered Dec 14 '10 at 02:04

For ASP.NET MVC this is what I'm doing with an action method.

Note:

Returns a simple view with no other resources that might accidentally re-create a session

I return the current time and session id so you can verify the action completed succcessfully

public ActionResult ExpireSession()
{
    string sessionId = Session.SessionID;
    Session.Abandon();
    return new ContentResult()
    {
        Content = "Session '" + sessionId + "' abandoned at " + DateTime.Now
    };
}

score 2 · Answer 3 · answered Oct 13 '11 at 18:10

The code in your master page, which detects an expired session and redirects, should look like this:

if (Session != null
    && Session.IsNewSession
    && Request.Cookies["ASP.NET_SessionId"] != null
    && Request.Cookies["ASP.NET_SessionId"].Value != "")
{
    Session.Clear();
    Response.Redirect(timeoutPageUrl);
}

Calling session.Clear() before redirecting ensures that on the subsequent page, Session.IsNewSession will be false.

Also note that I am checking for an empty string in the value of of the ASP.NET_SessionId cookie. This helps to prevent a logout from being mistaken as an expired session, if you happen to call Session.Abandon() in your logout process. In that case, make sure you expire the old session cookie as a part of the logout process:

Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.MinValue;

The Session.Clear() is the keystone! – Caesar Aug 10 '14 at 14:46 — Caesar, Aug 10 '14 at 14:46

score 0 · Answer 4 · answered Jun 09 '09 at 19:01

The adding the cookie trick worked for me also, as follows:

    Sub Session_Start(ByVal sender As Object, ByVal e As EventArgs)
    ' Code that runs when a new session is started        
    If Session.IsNewSession Then
        'If Not IsNothing(Request.Headers("Cookie")) And Request.Headers("Cookie").IndexOf("ASP.NET_SessionId") >= 0 Then
        If Not IsNothing(Request.Headers("Cookie")) AndAlso Request.Headers("Cookie").IndexOf("ASP.NET_SessionId") >= 0 Then
            'VB code
            Dim MyCookie As HttpCookie = New HttpCookie("ASP.NET_SessionId")
            MyCookie.Expires = System.DateTime.Now.AddDays(-1)
            Response.Cookies.Add(MyCookie)

            'C# code
            'HttpCookie mycookie = new HttpCookie("ASP.NET_SessionId");    
            'mycookie.Expires = DateTime.Now.AddDays(-1);    
            'Response.Cookies.Add(mycookie);

            Response.Redirect("/timeout.aspx")
        End If
    End If       
End Sub

score -1 · Answer 5 · answered Feb 03 '09 at 22:34

-1

Are you calling Session.Abandon in your special "Your session expired" page? If so, don't.

answered Feb 03 '09 at 22:34

AnthonyWJones

187,081
35
232
306

Get Session to expire gracefully in ASP.NET

5 Answers5

Linked