2

How can i expire a session when the system sits idle for some time. After completing that time it should be redirected to login page. I need to do this controller side. I am using asp.net mvc3 application.

dove
  • 20,469
  • 14
  • 82
  • 108
Jonathan
  • 1,659
  • 8
  • 34
  • 54
  • 2
    Have you tried setting the `timeout` attribute on the `` node in your web.config? – Darin Dimitrov Dec 12 '12 at 08:55
  • @DarinDimitrov not yet. How can i do that – Jonathan Dec 12 '12 at 09:19
  • Like this: ``. Also checkout the documentation: http://msdn.microsoft.com/en-us/library/h6bb9cz9(v=vs.100).aspx – Darin Dimitrov Dec 12 '12 at 09:23
  • @DarinDimitrov but that is not working – Jonathan Dec 12 '12 at 09:47
  • 2
    Why is that not working? Could you clarify? The timeout attribute allows you to specify the ASP.NET Session timeout. Make sure you have disabled sliding expiration as well, otherwise it will renew the timeout if a request is made. Also you are talking about ASP.NET FormsAuthentication timeout, then this is a different value you need to configure. Use the `` tag for it. Bare in mind that ASP.NET Session and FormsAuthentication are 2 completely different things. – Darin Dimitrov Dec 12 '12 at 09:55
  • I have defined and in authentication module – Jonathan Dec 14 '12 at 07:56
  • Alright, and what is the problem? – Darin Dimitrov Dec 14 '12 at 08:01
  • There fore in 1 minute session should be null and it should be redirected but it is not redirecting – Jonathan Dec 14 '12 at 08:05
  • Basically what i need is when the user left the website for some time after that when he wants to do the work then it should be redirected. How can i do that – Jonathan Dec 14 '12 at 08:06
  • 1
    Are your controller actions decorated with the `Authorize` attribute? Also make sure you have disabled slidingExpiration by setting it to false. Otherwise if you have some script which is sending requests the session tokens will be renewed. – Darin Dimitrov Dec 14 '12 at 08:08
  • I have defined it for Index method. Where should we set slidingExpiration to false – Jonathan Dec 14 '12 at 08:10
  • I have set the slidingExpiration to false and define the authorize keyword. Am i defining the url path wrong – Jonathan Dec 14 '12 at 08:25
  • It is working. But the session time takes place only when the user sits idle. It is working even when the user works on the page – Jonathan Dec 14 '12 at 09:27
  • That's because you need to set `slidingExpiration="false"`. – Darin Dimitrov Dec 14 '12 at 09:48
  • ok thanks then what should i do to only expire a session when it is idle. – Jonathan Dec 14 '12 at 09:51
  • 1
    *idle session* means no HTTP requests are sent to the server for a certain period. If this is the case then it doesn't really matter what value you are giving to the `slidingExpiration` property. The session will automatically expire after the period of inactivity. – Darin Dimitrov Dec 14 '12 at 10:07
  • Yah got it After setting the slidingExpiration to false it is working. And is there any other methods without authorize to do the same functionality – Jonathan Dec 14 '12 at 10:09
  • I don't understand your question. – Darin Dimitrov Dec 14 '12 at 10:14
  • We are defining [Authorize] keyword for Index action. With out doing that can we implement the sessionTimeOut. And can we intimate the user about session Expiration before expiring – Jonathan Dec 14 '12 at 10:18
  • Why don't you want to use the [Authorize] attribute? That's exactly what it is meant for - protect controller actions from unauthorized access. Of course you could always write a custom authorization filter. – Darin Dimitrov Dec 14 '12 at 10:32
  • @DarinDimitrov Thankyou one last question can we implement pop up to show that session is expiring – Jonathan Dec 14 '12 at 10:46
  • When do you want to show this popup before the session expires or after? Also do you want this popup to be shown as a consequence to a user action or automatically? – Darin Dimitrov Dec 14 '12 at 10:47
  • yes i want to show this consequence before session expires – Jonathan Dec 14 '12 at 11:32
  • @DarinDimitrov can you tell me the procedure for pop up – Jonathan Dec 15 '12 at 10:11
  • @DarinDimitrov The code is only working for main pages. It is not implementing for partial pages – Jonathan Dec 17 '12 at 09:06

1 Answers1

1

The session will expire on the server when it times out.

If you want the browser to redirect at the same time you'd have to have a counter on the client, in JavaScript, which on 0 would do a redirect to your login page.

The controller cannot force the redirect of a browser without some action from the client. You could also look at having some kind of persistant connection like SignalR but that might be more than you need.

Another solution would be to have a refresh header like in this answer

ASP.NET Push Redirect on Session Timeout

Community
  • 1
  • 1
dove
  • 20,469
  • 14
  • 82
  • 108