Session_End in Global.asax.cs not firing using forms authentication

Asked 15/12, 2010 at 18:12 Answered 24/3, 2016 at 14:12

Solved c#asp.net forms-authentication session-timeout

I have an asp.net 4.0 application that is using forms authentication set to a timeout at 45 minutes. I would like to redirect the user to a timeout page when the session has expired. Can anyone tell me how to do this? I am running .net 4.0.

web.config has:

<authentication mode="Forms">
  <forms name=".ASPXAUTH" loginUrl="~/Login.aspx"
    defaultUrl="~/Default.aspx" protection="All" timeout="45"
    requireSSL="false">
  </forms>
</authentication>

Global.asax.cs file has:

void Session_End(object sender, EventArgs e)
{
    Response.Redirect("~/Timeout.aspx");
}

Cardew answered 15/12, 2010 at 18:12 Comment(0)

It's not possible to do a redirect in the Session_End method. It's not running as a result of a request, so it doesn't have a Response object and there is no response to redirect anywhere.

It's not possible to do anything in the browser as a result of the session expiring. The HTTP protocol is request oriented, so there is no way to push a message from the server to the browser without the browser asking for it.

The browser just can't find out if the session has expired or not. If you would poll the server to check if the session has expired, it would keep the session alive, defeating the purpose of the timeout.

You can make a redirect after 45 minutes using just client script:

window.setTimeout(function() {
  window.location.href = '/Timeout.aspx';
}, 1000*45*60);

However, this will make the redirect only based on the time since this browser window last contacted the server. If you have more than one browser window for the same session, it's possible that the session has actually not timed out.

Hamlet answered 15/12, 2010 at 18:26 Comment(4)

the redirect could be a refresh even, or some kind of ajax call that checks session data. – Absorber 15/12, 2010 at 18:30

You're right. You think i could use something like jQuery idleTimer (paulirish.com/2009/jquery-idletimer-plugin), set it to 45 minutes like you did with (window.setTimeout) and redirect? You think that might work well? I can wait for 45 minutes idle time and force a logout/session-end/redirect. – Cardew 15/12, 2010 at 18:31

@krefftc: I didn't read much on the page that you linked to, due to it's very jerky and annoying animations, but I think that the idle timer tries to find out if the user is active in the browser or not. The session timeout doesn't care at all what the user does in the browser unless the browser fetches something from the server, so it's not at all affected by that. Thus, the setTimeout would better correspond to when the session times out on the server. – Hamlet 15/12, 2010 at 18:50

the site i posted had beautiful animations of Christmas snowflakes blowing in your face, what's not to love?...no but seriously, i get what you're saying, thanks! – Cardew 15/12, 2010 at 19:45

How is your session state implemented? Session_End only works when you are using InProc.

See http://www.eggheadcafe.com/articles/20021016.asp

Azriel answered 15/12, 2010 at 18:16 Comment(3)

I guess whatever session state forms authentication uses. – Cardew 15/12, 2010 at 18:27

Forms Authentication != Session State. – Azriel 15/12, 2010 at 18:31

Well at any rate the default is InProc. You'd have to manually change it to SQL Server or whatever else. Yes I know this is 7 years later, but I don't care. – Diversified 1/2, 2017 at 8:37

On MVC you can adding this code in _ViewStart.cshtml

_ViewStart.cshtml:

@{
     Response.AddHeader("Refresh",Convert.ToString((Session.Timeout * 60) + 5));      

     if(Session.IsNewSession)  
         Response.Redirect(“Logout.aspx");// or another page which you want.
}

How to Redirect on Session End

Socialistic answered 24/3, 2016 at 14:12 Comment(0)

Recommended topics

Hot tags