ASP.NET Session timeout behavior
Question
I am using the Session object in my code to store the user login which will be saved to the DB.
I want to make sure about the the behavior on session timeout.
If the session times out what can the user do? I guess browsing to different pages does not restore the session? so only choice is to Close all of the browsers and come back in and Session gets alive?
I want to know under what conditions Session won't be alive again.
Also does Session time out fires the Session_End in the global.aspx?
4 answers
solution1
2 ACCPTED 2015-05-21 11:17:46
A session is considered active as long as requests continue to be made with the same SessionID value. If the time between requests for a particular session exceeds the specified time-out value in minutes, the session is considered expired. Reference
I believe that you are checking if the user is logged in or not in each page (or in masterpage), so as long as the user is not idle and he is using the system, the session will be updated and no worries. If the user was idle for a long time and the session was expired, then it is logical to make him sign in again for security reasons.
solution2
0 2015-05-21 12:13:58
use this on logout:
Session.Remove("sessionname");
solution3
0 2015-05-21 12:41:20
I believe you're not explicitly killing the session by calling Abandon method on the session object in Session_End event.
Logging out of session makes this event to fire.And obviosly the user must be brought to the login page while trying to naviagte between pages.
solution4
0 2015-05-27 10:56:21
Using the session to store a validated user's details is quite common. The session times out after a period of inactivity (I believe it's 20 minutes by default but can be changed in web.config.) This is usually desirable because if the user abandons the site (or walks away from their computer) without logging out it will kill (eventually) the session and effectively log them out automatically.
Reading or writing to the session will reset the timeout countdown. So if each web page check to see if the user is logged in all they will need to do if view a new page within 20 minutes and they won't be logged out.
If the user logs out (or the session times out) they don't need to close their browser, just go back to the login page and login again. So for each page that should be protected, check if their session exists and is logged in or else redirect them to the login page.
Yes the session timing out fires the session_end event.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.