4

I would like to know the best way to handle and implement session time outs in MVC. I have setup my app so that it can handle the "RememberMe" when the user authenticate. I also stores some variables in Context.Session["myvar"];

I run into a problem when my session has expired but my authentication cookie has not yet expired.

My first thought was to check the session stat on on action request; but that seems like a lot of code. Is there a good place to check the session state once? What are other ways to handle a session time out? I would like the user to be redirected to the login page when a session has timedout. or have the session variables reloaded if the user is still logged in.

Improve this question

2 Answers 2

Reset to default
11

Is there a good place to check the session state once

Sure, a custom Authorize attribute looks like a great place:

public class MyAuthorizeAttribute : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        var authroized = base.AuthorizeCore(httpContext);
        if (!authroized)
        {
            // the user is not authenticated or the forms authentication
            // cookie has expired
            return false;
        }

        // Now check the session:
        var myvar = httpContext.Session["myvar"];
        if (myvar == null)
        {
            // the session has expired
            return false;
        }

        return true;
    }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

how would I use the attribute? Do I place on top of every action?
Yes, you simply replace the [Authorize] attribute that you currently use with the [MyAuthorize] attribute (after obviously finding it a more meaningful name than MyAuthorize :-)).
As an aside, you can place this class anywhere in your project, since C# doesn't care about folders, and just replace the [Authorize] tag with [MyAuthorizeAttribute] as stated above, with an appropriate reference to the namespace.
3

In global.asax.cs you can add SessionStart handler

protected void Session_Start(object sender, EventArgs e)
{
    if (this.Context.User != null && this.Context.User.Identity != null
        && this.Context.User.Identity.IsAuthenticated)
    {
        // Got user from authentication cookie (remember me).

        // here you can either re-instantiate user in your application/session
        // so he/she will be logged-in automatically (which is remember me functionality)
        // The username is in this.Context.User.Identity.Name

        // Or redirect user to login page if you need manual login
    }
}
Improve this answer

2 Comments

But anything that was stores in session variables will be lost right?
@Faiz: yes it will be lost as this is start of a new session.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.