Session Time out if browser is idle for 5 minutes

Hmm, have you tried going to the IIS config and changing the value there?

Also, do you validate the Session on every page load?

Hi

Thanks for reply.

No i dont know much abt aspx 'n' .net. How to validate the session?

Regards
Anu

Hmm, have you tried going to the IIS config and changing the value there?
.
Also, do you validate the Session on every page load?

Well I mean, you want the session to timeout. so you must be doing something with the Session object? Like holding onto a login name or something.
If you check to make sure the user is "logged in" at every page, when the session timesout and gets cleared, the user will no longer be "logged in" and you should be able to detect that.

Hi All,

We r developing web application in asp.net using c#. we r using IIS7.0 and windows vista for development.
I m using windows authentication and "local Sytem" Identity.
I want that if user is not accessing site for 5 minutes(means browser is idle for 5 min) , after 5 min. when user clicks on any link, his session should be expired and he has to provide login credentials again.

I have tried using
<sessionState cookieless="False" mode="InProc timeout="5" />

in web.config file but its not working.

Please help me in this issue.

Thanks
Anu

There's no reason to believe that the session hasn't timed out.
In your PageLoad you should be checking if the user has been logged out or not.

I'm assuming that when the user logs into your website a session variable is created for that user to indicate that they are logged in. When your session times out this variable will no longer be accessible...therefore in your PageLoad code you should check if this variable is null or nothing and if so redirect the user to the login page. This will prevent the button or link from being executed.

-Frinny

Thanks for Reply.

I m doing same as u told but facing some problems:
If user tries to access any other page directly then he is redirected to default page(we r using basic authentication).
i m using following code on page_load method of master page
Here one problem is when i m closing window and opens a new window and trying to access any page directly then user is redirected to logoff page rather than to default page.

If first time i m trying to access page directly then it is redirected to default page but not after accessing site regularly

Session["username"] is set in default page.

One more issue is :
I m using global.asax file 'n' its code is as follows:
Session_start() is called everytime when i click on anylink on my site.

can u please help me?

Regards
Anu

There's no reason to believe that the session hasn't timed out.
In your PageLoad you should be checking if the user has been logged out or not.

I'm assuming that when the user logs into your website a session variable is created for that user to indicate that they are logged in. When your session times out this variable will no longer be accessible...therefore in your PageLoad code you should check if this variable is null or nothing and if so redirect the user to the login page. This will prevent the button or link from being executed.

-Frinny

Thanks for Reply.

I m doing same as u told but facing some problems:
If user tries to access any other page directly then he is redirected to default page(we r using basic authentication).
i m using following code on page_load method of master page

Expand|Select|Wrap|Line Numbers

1. string username="";
2. if (Session["Username"] != null)
3.      username = Session["Username"].ToString();
4.  
5.      if (username == "")
6.      { 
7.           string url = Application["URL"].ToString();
8.           Response.Redirect(url); 
9.      }
10.      if(Context.Session.IsNewSession)
11.      { 
12.           if(Session["Username"] == null)
13.           { 
14.           System.Web.HttpContext.Current.Response.Redirect("~/admin/logoff.aspx");
15.           Session.Abandon();
16.           }
17.      }
18.      else
19.      {
20.           //load page
21.      }
22.  

Here one problem is when i m closing window and opens a new window and trying to access any page directly then user is redirected to logoff page rather than to default page.

If first time i m trying to access page directly then it is redirected to default page but not after accessing site regularly

Session["username"] is set in default page.

One more issue is :
I m using global.asax file 'n' its code is as follows:
Session_start() is called everytime when i click on anylink on my site.

can u please help me?

Regards
Anu

First of all you are specifically link them to the Log Out page in your redirect.
Why are you doing this? If their session doesn't exist then they are logged out are they not? Shouldn't you redirect them to your Log In page instead?
You should consider putting any log-out clean up in your Session_End event instead of redirecting your user to the Log Out Page.

I'm really note sure why Session_Start is called every time you click on a button in your site....unless you are not storing anything in session and then you are trying to access it to tell if the user is logged in.

Please post your code for your Log In Button Click so that I can see what you are doing.


-Frinny

Hi,

I m very greatful to you for responding my questions.
I have lot of queries as i m new to .net.

1.
i m not using any login form. i m using basic authentication which by default asks for username and password. After authentication user is redirected to default.aspx page 'n' in that page_load i m setting
session["username"]=loginusername.
'n' this is the reason of using logoff.aspx page.

code for global.asax file is :

<%@ Application Language="C#" %>
<script runat="server">
void Application_Start(object sender, EventArgs e)
{
// Code that runs on application startup

}

void Application_End(object sender, EventArgs e)
{
// Code that runs on application shutdown
Application["URL"] = null;
Application.RemoveAll();
Application.Clear();
}

void Application_Error(object sender, EventArgs e)
{
// Code that runs when an unhandled error occurs
}
void Session_Start(object sender, EventArgs e)
{
Application.Lock();


string url = "";
//code to form the url
Application["URL"] = url;

Application.UnLock();
}

void Session_End(object sender, EventArgs e)
{
Session.Clear();
Session.RemoveAll();
Request.Cookies.Clear();
Request.Headers.Clear();
Session.Abandon();
}

</script>

code for default.aspx.cs page is:

protected void Page_Load(object sender, EventArgs e)
{
string UserName = User.Identity.Name;//Request.LogonUserIdentity.Name;
Session["Username"] = UserName;
Response.Redirect("items.aspx?nid=Start");
}

and the code that i sent u earlier is for master page.
When sesion expires, session_end is not getting called at all.
So i m using session.abondon() in logoff.aspx page.

2. i m using basic authentication, so whenever after logoff i m opening site in same browser its not asking for login user 'n' password. it is directly opening the site.
Is there solution for this also?

3. i m providing facility to user to chenge the server date 'n' time and also shutdown/restart the server through webui.
When i tested my code locally via asp development, then its working fine. But after deploying the web app, when i m accessing site via https://webapp then its throwing exception "Privilege not held".
Even i haveenabled privileges for the user.
Deployment scenario is :
Basic authentication 'n' identity is "LocalSystem".
Any help in this issue?

Thanks a lot.
Regards,
Anu

First of all you are specifically link them to the Log Out page in your redirect.
Why are you doing this? If their session doesn't exist then they are logged out are they not? Shouldn't you redirect them to your Log In page instead?
You should consider putting any log-out clean up in your Session_End event instead of redirecting your user to the Log Out Page.

I'm really note sure why Session_Start is called every time you click on a button in your site....unless you are not storing anything in session and then you are trying to access it to tell if the user is logged in.

Please post your code for your Log In Button Click so that I can see what you are doing.


-Frinny

Hi,

I m very greatful to you for responding my questions.
I have lot of queries as i m new to .net.

1.
i m not using any login form. i m using basic authentication which by default asks for username and password. After authentication user is redirected to default.aspx page 'n' in that page_load i m setting
session["username"]=loginusername.
'n' this is the reason of using logoff.aspx page.

code for global.asax file is :

<%@ Application Language="C#" %>
<script runat="server">
void Application_Start(object sender, EventArgs e)
{
// Code that runs on application startup

}

void Application_End(object sender, EventArgs e)
{
// Code that runs on application shutdown
Application["URL"] = null;
Application.RemoveAll();
Application.Clear();
}

void Application_Error(object sender, EventArgs e)
{
// Code that runs when an unhandled error occurs
}
void Session_Start(object sender, EventArgs e)
{
Application.Lock();


string url = "";
//code to form the url
Application["URL"] = url;

Application.UnLock();
}

void Session_End(object sender, EventArgs e)
{
Session.Clear();
Session.RemoveAll();
Request.Cookies.Clear();
Request.Headers.Clear();
Session.Abandon();
}

</script>

code for default.aspx.cs page is:

protected void Page_Load(object sender, EventArgs e)
{
string UserName = User.Identity.Name;//Request.LogonUserIdentity.Name;
Session["Username"] = UserName;
Response.Redirect("items.aspx?nid=Start");
}

and the code that i sent u earlier is for master page.
When sesion expires, session_end is not getting called at all.
So i m using session.abondon() in logoff.aspx page.

2. i m using basic authentication, so whenever after logoff i m opening site in same browser its not asking for login user 'n' password. it is directly opening the site.
Is there solution for this also?


Thanks a lot.
Regards,
Anu

First of all, I'm pretty sure that using Basic Authentication doesn't allow you to log off the user. The only way to "log off" a user is through using Forms Authentication.

Secondly, If I were you, I would consider creating a Log In page that redirects the user to the default page so that you have a clean starting point to your application (so that you don't redirect them to a log off page...I'm still not sure what this log off page does).


The Session_End event is only accessed if your session contains something. If there's nothing in Session this event is not called.

If you don't think that your Session_End is being called (after 5 minutes), then consider outputting a timestamp record to a text file when ever this event is fired to see....Better yet, write a timestamp record to the text file in your Session_Start and your Session_End, then leave for 6 minutes and check this file...

Why are you even storing the User Name in session? You should be able to access the User.Identity.Name property at all times anyways, so there should be no need to store this information.

It feels like you're mixing 2 Authentication methods (Forms and Windows). I would suggest sticking to one form of authentication.

3. i m providing facility to user to chenge the server date 'n' time and also shutdown/restart the server through webui.
When i tested my code locally via asp development, then its working fine. But after deploying the web app, when i m accessing site via https://webapp then its throwing exception "Privilege not held".
Even i haveenabled privileges for the user.
Deployment scenario is :
Basic authentication 'n' identity is "LocalSystem".
Any help in this issue?

Allowing a web user to shutdown the server, or change the server's Date/Time is not a good idea. You are probably getting this error because web applications have a Low Trust level, meaning that through these applications you will not be able to do things like shut down or change the date on the server. The DEV server that comes with Visual Studio lets you do things that a real IIS server would never let you do. In order to get this to work on your IIS you will have to give the web application a higher trust level...which is not advisable because you should never trust your web users this much. This could create a huge security hole in your software.

I have no idea how to Log Off a user if you are using Basic Authentication.
I would recommend switching to Forms Authentication if you would like to log of your user.

I would also recommend creating another application (a desktop application that will be run on the server) that allows the system administer of your web server to perform maintenance on your application and your server. I strongly recommend against letting a user from the web do this.

-Frinny

Thanks for reply.
1. I will try using Form Authentication if required.

2. We are preparing Web Application for System Management/Maintenance which requires to provide the facility to change date/time and ahutdown the system. I have alreday given Full(internal) trust level in IIS->webApp->.net trust Levels. But still its giving error "A required Privilege is not held by the client". What can be the problem. In any case i have to solve this issue. B'coz this is our main requirement.

Thanks 'n' Regards,
Anu

First of all, I'm pretty sure that using Basic Authentication doesn't allow you to log off the user. The only way to "log off" a user is through using Forms Authentication.

Secondly, If I were you, I would consider creating a Log In page that redirects the user to the default page so that you have a clean starting point to your application (so that you don't redirect them to a log off page...I'm still not sure what this log off page does).


The Session_End event is only accessed if your session contains something. If there's nothing in Session this event is not called.

If you don't think that your Session_End is being called (after 5 minutes), then consider outputting a timestamp record to a text file when ever this event is fired to see....Better yet, write a timestamp record to the text file in your Session_Start and your Session_End, then leave for 6 minutes and check this file...

Why are you even storing the User Name in session? You should be able to access the User.Identity.Name property at all times anyways, so there should be no need to store this information.

It feels like you're mixing 2 Authentication methods (Forms and Windows). I would suggest sticking to one form of authentication.


Allowing a web user to shutdown the server, or change the server's Date/Time is not a good idea. You are probably getting this error because web applications have a Low Trust level, meaning that through these applications you will not be able to do things like shut down or change the date on the server. The DEV server that comes with Visual Studio lets you do things that a real IIS server would never let you do. In order to get this to work on your IIS you will have to give the web application a higher trust level...which is not advisable because you should never trust your web users this much. This could create a huge security hole in your software.

I have no idea how to Log Off a user if you are using Basic Authentication.
I would recommend switching to Forms Authentication if you would like to log of your user.

I would also recommend creating another application (a desktop application that will be run on the server) that allows the system administer of your web server to perform maintenance on your application and your server. I strongly recommend against letting a user from the web do this.

-Frinny

Thanks for reply.
1. I will try using Form Authentication if required.

2. We are preparing Web Application for System Management/Maintenance which requires to provide the facility to change date/time and ahutdown the system. I have alreday given Full(internal) trust level in IIS->webApp->.net trust Levels. But still its giving error "A required Privilege is not held by the client". What can be the problem. In any case i have to solve this issue. B'coz this is our main requirement.

Thanks 'n' Regards,
Anu

You wont be able to do system shutdowns or date/time changing with Forms Authentication alone. You'll have to use impersonation for those functions if you do switch to Forms Authentication. Basic Authentication uses Windows user accounts and will probably end up being easier to do in your case.

I'm not sure why you are getting the "required privilege is not held by the client"... are you sure that the user logging in has permissions to change the date/time or shut down?

It still feels like it's the application itself that is missing the permissions/trust.

-Frinny

Hi,

I am trying to implement new idea as follows(with Basic Authentication)

in master page i m coding
if (!Page.IsPostBack)
Response.AppendHeader("Refresh", ((Session.Timeout)*60 + 5).ToString() + "; Url=logoff.aspx");

the url for logoff.aspx is https://abc.com/admin/logoff.aspx.
what path i have to give in Url="" to redirect from current path where current path is as https://abc.com/admin/maintenance/sss.aspx

in logoff.aspx.cs : Session.Abondon();
'n' providing link to goto starting url i.e. https://abc.com.

But now i have problem like: after logoff page when user click on the link then he is directly logged-in into site without authenticating.

Is there any way to clear basic auth info from browser side?

or i can close the browser after showing logoff page. for that i have tried the following javascript code:

window.open('','_parent',''); window.close();
this code is working fro IE but not for firefox2.0 'n' above.

Can you please help me in this issue?

Thanks
Anu

You wont be able to do system shutdowns or date/time changing with Forms Authentication alone. You'll have to use impersonation for those functions if you do switch to Forms Authentication. Basic Authentication uses Windows user accounts and will probably end up being easier to do in your case.

I'm not sure why you are getting the "required privilege is not held by the client"... are you sure that the user logging in has permissions to change the date/time or shut down?

It still feels like it's the application itself that is missing the permissions/trust.

-Frinny

...
But now i have problem like: after logoff page when user click on the link then he is directly logged-in into site without authenticating.

Is there any way to clear basic auth info from browser side?

or i can close the browser after showing logoff page. for that i have tried the following javascript code:

window.open('','_parent',''); window.close();
this code is working fro IE but not for firefox2.0 'n' above.

Can you please help me in this issue?

Thanks
Anu

That's what I was saying. There is no way to log out the user when you use Basic Authentication.

Hello,

I'm not sure but I think that:

1. If you are using Form Authentication then you should grant access rights to the ASP.NET request identity. ASP.NET has a base process identity typically Network Service.

2. If you are using local user identity then you should use impersonation as an authentication mode.

more about asp.net authorization you can find here:
http://www.easyalgo.com/KnowledgeBase/... . Links to Microsoft's KB at the bottom of page.

3. If you are running you application on DEBUG mode then Session End event may not rised, becose in DEBUG mode many parameters of web configuration such as sessionTimeout, executionTimeout are being disabled.