C# – Session_End in Global.asax.cs not firing using forms authentication

asp.netcforms-authenticationsession-timeout

I have an asp.net 4.0 application that is using forms authentication set to a timeout at 45 minutes. I would like to redirect the user to a timeout page when the session has expired. Can anyone tell me how to do this? I am running .net 4.0.

web.config has:

<authentication mode="Forms">
  <forms name=".ASPXAUTH" loginUrl="~/Login.aspx"
    defaultUrl="~/Default.aspx" protection="All" timeout="45"
    requireSSL="false">
  </forms>
</authentication>

Global.asax.cs file has:

void Session_End(object sender, EventArgs e)
{
    Response.Redirect("~/Timeout.aspx");
}

Best Answer

It's not possible to do a redirect in the Session_End method. It's not running as a result of a request, so it doesn't have a Response object and there is no response to redirect anywhere.

It's not possible to do anything in the browser as a result of the session expiring. The HTTP protocol is request oriented, so there is no way to push a message from the server to the browser without the browser asking for it.

The browser just can't find out if the session has expired or not. If you would poll the server to check if the session has expired, it would keep the session alive, defeating the purpose of the timeout.

You can make a redirect after 45 minutes using just client script:

window.setTimeout(function() {
  window.location.href = '/Timeout.aspx';
}, 1000*45*60);

However, this will make the redirect only based on the time since this browser window last contacted the server. If you have more than one browser window for the same session, it's possible that the session has actually not timed out.

Related Solutions

R – expiration date in newly created authentication ticket (asp.net forms auth)

this is pretty confusing but it looks like i have to set both the "timeout" and "slidingExpiration" in my web.config under the authentication/forms section to get the RememberMe part to work correctly

i have it set like so and everything is working as expected

slidingExpiration="true" timeout="5120"

rick strahl's blog helped me find the answer http://www.west-wind.com/WebLog/posts/157861.aspx

R – Detecting forms authentication timeout in login page

Forms authentication will automatically append a URL parameter 'ReturnURL', indicating what page (if any) triggered the redirection to the login page. Most websites have a 'Default.aspx' or 'index.html' etc as the default page. You can check the ReturnURL to see if it contains the default page, or some other page in your application.

EXAMPLE:

string refererURL;
if (page.Request.QueryString["ReturnURL"] != null)
{
    refererURL = page.Request.QueryString["ReturnURL"].ToString();
}

//Check to see if user was redirected because of Timeout or initial login
//Where "Default.aspx" is the default page for your application
if (refererURL != "" && refererURL != (ResolveUrl("~") + "Default.aspx"))
{
    //Show HTML etc showing session timeout message 
}
else // User redirected here to to initial login
{
    //Show HTML showing initial login HTML message etc
}

Best Answer

Related Solutions

R – expiration date in newly created authentication ticket (asp.net forms auth)

R – Detecting forms authentication timeout in login page

Related Topic