session variables timeout in asp.net app

Question

In my web app I'm using some session variables, which are set when I login:

e.g. Session("user_id") = reader("user_id")

I use this through my app.

When the session variable times out, this throws errors mainly when connecting to the database as session("user_id") is required for some queries.

How can I set my session variables so that once they are timed out to go to the login page or how can at least increase the length of time the are available?

Answer 1

I'm guessing you're using Forms Authentication. The trick here is to ensure that your Forms Authentication expires before the session does.

I wrote about this in this answer here:

How to redirect to LogIn page when Session is expired (ASP.NET 3.5 FormsAuthen)

For example:

Configure your Forms Authentication - this sets the timeout to 60 minutes:

<authentication mode="Forms">
    <forms defaultUrl="~/Default.aspx"
        loginUrl="~/Login.aspx"
        slidingExpiration="true"
        timeout="60" />
</authentication>

Extend Session expiry to a longer time:

<sessionState 
    mode="InProc" 
    cookieless="false" 
    timeout="70"/>

In your Login.aspx code behind you could also do a Session.Clear(); to remove stale session data before assigning session values.

Answer 2

In the past I've used a base page or master page on every page (making an exception for the login page) that reads a session token to see if a user is logged in currently.

If it ever reads a null it saves the current url and redirects to the login page.

After logging in it reads the saved url and redirects the user back to the requested page.

Increasing the session timeout value is a setting in IIS.

Answer 3

How can I set my session variables so that once they are timed out to go to the login page

Check if they are = null do a Response.Redirect("Home.aspx");

or how can at least increase the length of time the are available?

Its in the web.config within the sessionState element

Answer 4

I think a lot of people wrap their session calls to provide a "lazy load" pattern. Something like this:

class SessionHelper
{
    public static string GetUserId()
    {
        string userId = (string)System.Web.HttpContext.Current.Session["UserId"];

        if( userId == null )
        {
           userId = reader("UserId");
           System.Web.HttpContext.Current.Session["UserId"] = userId;
        }

        return userId;
    }
}