Fog Creek Software
Discussion Board

Welcome! and rules

Joel on Software

Gracefully handle expired session state

This is probably a silly question but here goes....

I'm trying to detect when a user's session has expired (either due to inactivity or by the user clicking a logout button which abandons the session). This is what I have so far.

    If Not context.Session Is Nothing Then
      'New Session
      If context.Session.IsNewSession Then
        'Request.Headers("cookie") exists..
        Dim sessionCookieHeader As String = Request.Headers("cookie")
        If (Not sessionCookieHeader Is Nothing) And (sessionCookieHeader.IndexOf("ASP.NET_SessionId") >= 0) Then
          'ASP.NET_SessionId exists
          'Clear the headers, so that a clean Request collection is used for the next login
          Response.Redirect(AppSettings("logOutURL") & "&Logut=session")
        End If
      End If
    End If

The only problem is that the headers are not cleared and so the user must log in twice every time subsequent to their initial login.  Any ideas?


Monday, February 7, 2005

What is your goal here? What do you want to do when the session expires, and do you want to do it when the current session expires or when the next one starts?

You do know when the user hits the log out button, so you don't need tricky code to catch this.

If you want to login just once, why not save something in the session state. The presense of it means the user has logged on, the absense means not.

If you are doing ASP.NET, you will find Forms Authentication to be helpful.

Thomas Eyde
Monday, February 7, 2005

My goal is, for each page request to capture if the user's session is valid, and if not redirect them to a page which states something along the lines of ("Your session is no longer valid"). 

You are right, Thomas, I don't need any fancy code to capture  the logout, and I am able to handle that  quite easily. However for those instances in which the user lets the session expire I am at a loss. I have tried as you suggeested to set a session variable and test its presence later. I created a session variable in session_start in the global.asax and that session never seems to timeout. I also tried toset the session in my default page and then detect the session variables presence in subsequent pages, but that didn't work either.

Am I missing something? Actually I know I am :)

Tuesday, February 8, 2005

Put your session initialization code into the "Session_Start" event handler of the global.asax code behind file. The event only gets fired when new sessions get created.

Brian Chiasson
Tuesday, February 8, 2005

Thomas is right about Forms Authentication. It will handle when someone is not authenticated and redirect them accordingly.

Brian Chiasson
Tuesday, February 8, 2005

Thanks guys, 

I ended up just  redirecting if the session.isNewSession property() is true on the inner pages, and for the default page  I just check the session.IsNewSession property in the event handlers.  Has anyone else done this?
I couldn't use Forms Authentication for this app for a few other reasons (long story).

Thanks again!

Tuesday, February 8, 2005


I am having the same issue with redirecting when session expires. 
Do you check for new session in the global.asax file?  I tried to write this code in global.asax in the session_start event - but it redirects immediately because it fires when application and new session starts.  Other words, instead of going to a main page, it redirects.

Wednesday, March 2, 2005

*  Recent Topics

*  Fog Creek Home