Database Search Solution
(New Version) Search Control
Free ASP.NET Controls
ASP.NET Media Player Control
Flash Video Player Control
ASP.NET Telecommute Jobs
Free IP Location Lookup
Test .Net Regular Expressions
CSS/Table/DIV Page Layouts
Article Sites Master List
.NET Windows Forms
General .NET Framework
Accepting Credit Cards
How to find if ASP.NET session is expired
Session data should persist during single visit. The problem in ASP.NET is that we don't know exactly when certain visit ends. HTTP is known as stateless protocol, which means that we can't know for sure if request comes from new or existing visitor. We can't know is visitor closed its browser or just minimized it while is doing something else. To simulate maintaining of state in stateless protocol, ASP.NET writes session cookie on client's machine. Session cookie contains unique identification key, named session id. So, that session id, in form of plain string, is only thing that ASP.NET application uses to "recognize" the visitor.
Because ASP.NET has no idea when visitor closes its web browser, it uses Session.Timeout property to decide, or better say guess, when visit will finish. If visitor doesn't make new request during time longer than Session.Timeout (it is 20 minutes by default), session will be deleted. When that happens, we say that session is expired. This sounds good in theory, but in real world someone could close a browser after a minute. In that case keeping session is useless. Some other visitor could go to lunch break or take a long phone call and later try to continue "visit". For both cases, ASP.NET will react on same way. It will delete session after 20 minutes of inactivity.
The problem could occur if visitor is in the middle of long task, like filling of long order form or reading license agreement before placing an order for your product. Session expiration could cause that he or she must start from the beginning which could be very frustrating. More about how to solve problems like these and how to artificially keep session alive you can find in How To Keep ASP.NET Session Alive tutorial.
In the other hand, session expiration has its use in highly secure applications, like online banking systems. Applications that work with money transactions often have very short session timeout (5 minutes or even less). Of course, this is also annoying for users but bankers probably think that is much worse if someone spend all money from your account because you forget to log out.
Session.IsNewSession property tells us if session is created during current request or not. If value is true, it is a new session. If value is false, it is existing active session created before.
But, there are two types of "new" sessions. First is new session created when new visitor comes to website. Second type is session which is created because previous session expired. If visitor is not made any request longer than specified in Session.TimeOut property (20 minutes by default), session will expire. But, IsNewSession property can't distinct these two cases.
The same worth for checking value of some session variable. You can try to place some value in session variable and check it later to see if variable is empty. Something like this:
[ C# ]
if(Session["UserID"] == null)
[ VB.NET ]
If Session("UserID") Is Nothing Then
As you see, like IsNewSession property, this code can't say is it new visitor with fresh session, or existing visitor with expired session. It can tell us only if session collection is already existing, but can't say is it expired or not.
How to check if session is expired using ASP.NET code
We'll define expired session as situation when Session.IsNewSession is true (it is a new session), but session cookie already exists on visitor's computer from previous session. Here is a procedure that returns true if session is expired and returns false if not.
[ C# ]
public static bool IsSessionExpired()
[ VB.NET ]
Public Shared Function IsSessionExpired() As Boolean
You can place this function on page if you need it in single file. If you need it on every page of website, consider placing function in separate class and then save class in App_Code folder, so you can call it from any place.
Another option is to create base page class with this function included, and then inherit all pages from that base page. Sometimes this could be complex if you have existing website with large number of pages. One more option is to use master page.
If IsSessionExpired() function returns true, you can do appropriate action, like show a message in label control which informs user that session is expired, redirect user to some SessionExpired.aspx page etc.
Check if session is expired using Global.asax file
Another option to check if session is expired is by using Session_Start event in Global.asax file. When Session_Start procedure executes, that already means that new session is created. So we don't need to check IsNewSession value like in previous example. Here, we need only second condition i.e. to see if session cookie exists.
Code in Global.asax that checks if session is expired could look like this:
[ C# ]
void Session_Start(object sender, EventArgs e)
[ VB.NET ]
Protected Sub Session_Start(ByVal sender As Object, ByVal e As System.EventArgs)
As you see, using of Global.asax requires less code than first example. Also, it is a lot of faster and easier to write this short code to Global.asax, than to implement base page or master pages on website. If your website has a lot of pages, and you don't use master page already, it could be huge task to relate master page to each .aspx page, or even worse to inherit all pages from newly created base page.
In the other hand, if you need to check if session is expired only on few pages, not in complete website, then is justified to use master page or even create base page.
Using Session_End event to know when session expires
Logical question is why not use Session_End event to know when session expires. This event theoretically fires when session expires. Then why previous example uses Session_Start? The main problem with Session_End is that you can't use HttpContext.Current inside of this procedure. That means that you can't redirect visitor to Your-Session-Is-Expired.aspx page or do anything else to inform visitor that session is expired. Since session is expired, in Session_End you don't have possibility of any communication with visitor. That narrows options and possible uses of this method.
In addition to this, Session_End event will work only if default InProc mode is used. Session_End will not work if sessions are stored on SQL Server, State Server or if custom session provider is used. In SQLServer, StateServer and Custom modes, you can use only Session_Start and Session_End is simply not fired. More about different session state modes you can read in ASP.NET Session State Modes Explained tutorial.
One possible options where you can use Session_End is to do tasks that not affect visitor's browser, like execute some internal code or SQL stored procedure to analyze data or clean up when session expires etc.
How to automatically redirect visitor after session is expired
In previous examples, session expiration check comes when visitor makes new request. Instead of waiting for that new request, you can redirect visitor automatically immediately after session is expired. In this case, you don't wait until visitor does any action. Browser will automatically load Your-Session-Is-Expired.aspx page after session timeout. This could be useful because of security reasons where data are highly sensitive, like in online banking application. If you accidentally forget to log out from application, session will expire. By using automatic redirection, someone else will not see your data, but only "session expired" screen.
<meta http-equiv="refresh" content="21;url=/Your-Session-Is-Expired.aspx" />
In this case, meta refresh time is hard coded. More flexible version with server side code would be:
[ C# ]
[ VB.NET ]
Response.AppendHeader("Refresh", """" _
This code will dynamically read Session.Timeout value and write correct meta refresh tag to redirect visitor when its session is expired.
Session expiration is useful process that saves server's resources and helps avoid possible security problems. In some cases, for example if user needs to fill long form, survey etc., we want to keep session alive. There is an option to increase session timeout, but on that way server will keep all sessions, including sessions of inactive users who closed their browsers. Much scalable way is to use client side code, so only users with opened browsers will have live sessions. More about how to keep sessions alive you can find in How To Keep ASP.NET Session Alive tutorial.
Also, sessions are not answer in every scenario, especially if you need to maintain state during multiple visits. More about different options you can use when sessions are not good enough, read in ASP.NET Session State Alternatives tutorial.
comments powered by Disqus