ASP.Net Session Timeout detection: Is Session.IsNewSession and SessionCookie detection the best way to do this?

Question

When my ASP.Net session times out (and forms authentication as well) and I try to hit a page, I am automatically redirected to my default login.aspx page.

Before th

Answer 1

You may also look in you web.config file under the tag authentication. This should look something like this:

<authentication mode="Windows">
  <forms defaultUrl="Default.aspx" loginUrl="Login.aspx" name=".aspxAuth">
  </forms>
</authentication>

Notice the attribute mode, it probably says Forms instead of Window in you web.config file. In this case, if you lose your session and then click on any link (let's say SalesChart.aspx) ASP.NET will take you directly to Login.aspx codebehind instead of SalesChart.aspx codebehind which is particularly annoying.

If you try Windows mode, you will be taken to the requested page (SalesChart.aspx) everytime, and then decide on your own what action to take if session is lost.

Answer 2

You are trying to distinguish between a timeout session and a session that was manully logged out?

Your problem is that since the session data is gone all you have to go on is that a new request coming in has created a new session and the request coming in carries a session ID cookie (indicating that it had been logged in before).

There are two approaches.

Cookie:

First in your login page you could create an additional cookie that indicates the login status of the user. When the user manually logs out the cookie value is modified to indicate the logout. A request after a session has timed out will in addition to having IsNewSession true will also have a login status cookie showing the user is still logged in, thus indicating the user hadn't manually chosen to logout.

Database:

A second approach is to store sessionIDs in a DB table along with logged in status. When a logon is successful enter the sessionID into a LoggedOnSessions table. When the user manually logs off delete the sessionID from the table. Hence your timeout detection can include a look up of the session ID in the table if present it was a timeout (at this point you should probably remove the ID as well).

For housekeeping purposes you should include an expiry datetime field which is set for much longer than any realistic logon period (a week for example). On a regular basis (e.g., weekly) delete entries in the table that have expired.

My preference is the database approach I hate setting cookies because it irks me that that cookie is being sent with every request but is rarely needed.