0

Here is my sessionState config in web.config file:

<sessionState 
    timeout="20" 
    mode="Custom" 
    customProvider="DynamoDBSessionStoreProvider">
</sessionState>

The session times out after 20 minutes and it redirects to the login page even if the user is actively using the application. I want the timeout to happen but also want the user to continue using the application without redirecting to the login page. I did a lot of digging but couldn't find a way to reset the timeout whenever if the user is actively using the application. I know one easy way is to increase the timeout but that option is not acceptable for security reasons. I couldn't find any alternative to achieve this. I would appreciate any sort of help on this. Thanks in advance.

Coding_ninja
  • 121
  • 7
  • Check the following: https://stackoverflow.com/questions/648992/session-timeout-in-asp-net – Jamal May 28 '23 at 05:29

1 Answers1

1

Prevent Redirect to Login Page when Session Times Out [ASP.NET]

  1. In the global.asax file, add the following code to the Session_Start event handler:
protected void Session_Start()
{
    int sessionTimeoutMinutes = 20; // Set the desired timeout value in minutes
    Session.Timeout = sessionTimeoutMinutes;

    Session["LastActivityTime"] = DateTime.Now;
}
  1. In your application's JavaScript file or <script> tag, add the following code to handle user interactions and update the session's last activity time:
$(document).ready(function() {
    $(document).on('mousemove keydown scroll', function() {
        updateSessionLastActivityTime();
    });

    function updateSessionLastActivityTime() {
        $.ajax({
            url: '/Session/UpdateLastActivityTime',
            type: 'POST',
            success: function(response) {
                // Handle the response if needed
            }
        });
    }

    startSessionTimeoutCountdown();
});

function startSessionTimeoutCountdown() {
    var sessionTimeoutMinutes = @(Session.Timeout);
    var sessionTimeoutMilliseconds = sessionTimeoutMinutes * 60 * 1000;

    setTimeout(function() {
        window.location.href = '/TimeoutPage';
    }, sessionTimeoutMilliseconds);
}
  1. Create a server-side action to handle the AJAX request and update the session's last activity time:
[HttpPost]
public ActionResult UpdateLastActivityTime()
{
    Session["LastActivityTime"] = DateTime.Now;
    return Json(new { success = true });
}

You can handle session timeout without using an AJAX request by configuring it in the web.config file.

  1. Open the web.config file of your ASP.NET application.
  2. Locate the <system.web> section.
  3. Add or modify the following session-related settings:
 <system.web>
  <sessionState timeout="20" />
  <authentication mode="Forms">
    <forms loginUrl="Login.aspx" timeout="20" slidingExpiration="true" />
  </authentication>
</system.web>

Hope it's Help !!

Dhiren Patel
  • 630
  • 8
  • 16
  • Hi, thanks for the answer but is there a way this can be handled in webconfig file itself? I mean without an ajax request? – Coding_ninja May 29 '23 at 06:56
  • Hello @Coding_ninja. I edit the answer above. Please check. – Dhiren Patel May 29 '23 at 07:18
  • in my sessionState I don't have forms authentication mode. Can you please tell if I can use it? and what impact does it have? – Coding_ninja May 29 '23 at 09:19
  • If you don't have forms authentication mode in your sessionState, then you cannot use it to prevent the redirect to the login page when session times out. Forms authentication mode is used to authenticate users and manage their sessions. To prevent the redirect to the login page when session times out, you need to implement custom code in your system that detects if the session has timed out, and then redirects the user to a custom error page instead of the login page. One way to do this is to use the Session_End event in the Global.asax file to set a flag that indicates the session hasend – Dhiren Patel May 29 '23 at 10:22
  • Can you please help me with session_end method? I want the user to keep using the application when the session times out. He should not be redirected anywhere – Coding_ninja May 29 '23 at 10:29
  • In ASP.NET, the Session_End event is not suitable for detecting user activity and resetting the session timeout. It is fired by the server when a session expires or is abandoned, but it does not reliably capture user activity. – Dhiren Patel May 29 '23 at 10:57
  • Oh! Is there any other way to refresh the timeout whenever user interacts with the application? So that timeout doesn't happen – Coding_ninja May 29 '23 at 11:00
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/253874/discussion-between-coding-ninja-and-dhiren-patel). – Coding_ninja May 29 '23 at 11:14