0

I am using the Session object in my code to store the user login which will be saved to the DB.

I want to make sure about the the behavior on session timeout.

If the session times out what can the user do? I guess browsing to different pages does not restore the session? so only choice is to Close all of the browsers and come back in and Session gets alive?

I want to know under what conditions Session won't be alive again.

Also does Session time out fires the Session_End in the global.aspx?

Improve this question

4 Answers 4

Reset to default
2

A session is considered active as long as requests continue to be made with the same SessionID value. If the time between requests for a particular session exceeds the specified time-out value in minutes, the session is considered expired. Reference

I believe that you are checking if the user is logged in or not in each page (or in masterpage), so as long as the user is not idle and he is using the system, the session will be updated and no worries. If the user was idle for a long time and the session was expired, then it is logical to make him sign in again for security reasons.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

OK. Im confused here. I set the timeout to 1 minutes for testing. then In button click event I check session , after 1 minute Session is null, However If user logs out and come back again Session again is populated . Can you explain?
@S Nash The session is populated when the user logs in. I believe what you are describing is the desired effect. User logs in, session populates. After one minute (set timeout) session becomes null. User logs back in session populates.
0

use this on logout:

Session.Remove("sessionname");

Improve this answer

Comments

0

I believe you're not explicitly killing the session by calling Abandon method on the session object in Session_End event.

Logging out of session makes this event to fire.And obviosly the user must be brought to the login page while trying to naviagte between pages.

Improve this answer

Comments

0

Using the session to store a validated user's details is quite common. The session times out after a period of inactivity (I believe it's 20 minutes by default but can be changed in web.config.) This is usually desirable because if the user abandons the site (or walks away from their computer) without logging out it will kill (eventually) the session and effectively log them out automatically.

Reading or writing to the session will reset the timeout countdown. So if each web page check to see if the user is logged in all they will need to do if view a new page within 20 minutes and they won't be logged out.

If the user logs out (or the session times out) they don't need to close their browser, just go back to the login page and login again. So for each page that should be protected, check if their session exists and is logged in or else redirect them to the login page.

Yes the session timing out fires the session_end event.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.