2

I am wondering what is the best (e.g. most efficient, commonly accepted, industry standard) way to deal with the potential expiration of a session when you are regularly using the values stored in it in your code.

For example, I am often using (in C#) lines similar to the following:

Guid personGuid = (Guid)Session[SSPersonGuid];

I am checking in Page_Load whether the values are null and dealing accordingly, but the session might expire while the person is on the page, in which case when they click a button on the page, and we need to use something like the above, there will be a NullReferenceException.

Is the best way to handle this just to check for null before each usage like this:

if (Session[SSPersonGuid] == null) {...}

Or is there some kind of special thing I don't know about?

Peter Ritchie
  • 35,463
  • 9
  • 80
  • 98
standgale
  • 135
  • 6

2 Answers2

1

What is the best (e.g. most efficient, commonly accepted, industry standard) way to deal with the potential expiration of a session?

The best would be that they dont expire by setting up a Out-Of-Process session state server or out-of-process SQL Server.

Also you may detect it in the The Session_OnEnd Event

EDIT:

Something Jeff Atwood says here corresponds with Scotts answer: http://www.codinghorror.com/blog/2008/04/your-session-has-timed-out.html

I am inundated with session timeout messages every day from a variety of sources, but I've never once seen a session expiration message from gmail, for example. Here's what I suggest:

  1. Create a background JavaScript process in the browser that sends regular heartbeats to the server. Regenerate a new cookie with timed expiration, say, every 5 or 10 minutes.

  2. If you're worried about session hijacking -- and you really should be -- use a HTTPS protected connection. This is an absolute no-brainer for financial institutions of any kind.

Community
  • 1
  • 1
Jeremy Thompson
  • 61,933
  • 36
  • 195
  • 321
  • with StateServer and the sql server methods, the session can still time-out while they are on the page though can't they? – standgale Aug 16 '12 at 04:22
  • See my edit. Regarding losing sessions when they are stored out-of-process, it could happen say if the StateServer process gets restarted or the server is rebooted... have personally never seen or experienced a out-of-process session timing out. – Jeremy Thompson Aug 16 '12 at 04:44
  • I am either doing something wrong or don't really understand how it is supposed to work. I tried testing it by setting a timeout of 2 minutes to see if it still timed out and it did after two minutes. From my limited understanding the data (e.g. SSPersonGuid) should still be available then. OR am I supposed to not set a timeout and it never times out. OR is there something else I need to do to get it to switch to StateServer mode (the required service is running, I mean maybe I need to restart something or whatever to get the setting recognised). Thanks by the way. – standgale Aug 17 '12 at 01:37
0

What I see a lot is JavaScript that loads with each page that includes a timer that checks to see if the session is about to expire. If so (say, in 2 minutes), display a popup telling the user the session is going to expire, and ask the user if they want to continue. The script can then make an AJAX call back to the server to keep the session alive.

This won't prevent problems with users that turn off JavaScript, however.

scott.korin
  • 2,537
  • 2
  • 23
  • 36
  • How does this work when IIS recycles the wpw3 process? How do you know the session will expire if you dont know when IIS is about to recycle the process? I would love to see the code. – Jeremy Thompson Aug 16 '12 at 03:13
  • Under most, but not all circumstances, you can disable recycling. http://stackoverflow.com/questions/3156925/stop-iis-7-5-application-pool-recycling – scott.korin Aug 16 '12 at 03:19