Printable View
I have set timeout for my asp.net application to 5 minutes, like web.config below:
mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424"
sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
cookieless="false"
timeout="5"
my question is how to automatically redirect to login page (login.aspx) it timeout exceeded.. please advise ..
many thanks in advance
Regards
Teddy
You could do something like this:
VB Code:
Thanks for your prompt reply, but what I don't understand is where should I set the first value of "someSessionVarName"? .. sorry I am very new with this . .please advise
Regards
Winanjaya
Well what are you storing in your Session variable?
let's say my session variable name is "MyVar" .. how ? please advise .. and TIA
regards
Winanjaya
Well then in the Page_Load() event of pages, or in one of the events in your global.asax file, you could use:
After the Session has expired, the MyVar session variable for that particular user will be lost and will evaluate to vbNullString.Code:If IsNothing(Session("MyVar")) Then
Response.Redirect("someUrl.aspx")
End If
But I think I should set the initial value of that variable, is it right? if yes .. where should I set that initial value? .. TIA
Regards
Winanjaya
Well you can set it in a Page_Load() event, or in some part of the global.asax file, or in some entry point to the site, e.g. a login page.
It depends on what you want to store there.
I tried it already .. for example: I put session("Login")=1 at the page_load of login.aspx .. and also I put below codes on other.aspx:
If IsNothing(Session("Login")) Then
Response.Redirect("login.aspx")
End If
but why it still not working, I meant it is not automatically back to login.aspx when timeout exceeded ..
Regards
Winanjaya
Why don't you try this.
One page1.aspx, put in this code:
Then on page2.aspx, put this in:Code:Session("x") = "y"
Keep refreshing page2, and see if it displays the correct data. Try refreshing over the course of 5 minutes...Code:Response.Write("Session(x) = " & Session("x"))
I guess you need to put the refresh header on all your pages once the person logs in.
so i beileve it would be something like this:
in your Login.aspx you would have :
VB Code:
and then in all other pages you would add this code
VB Code:
guess you need to put the refresh header on all your pages once the person logs in.
so i beileve it would be something like this:
in your Login.aspx you would have :
and then in all other pages you would add this codeCode:Session("Login") = "1"
[code]
If session("Login") = "1" then
Response.AddHeader "Refresh",CStr(CInt(DateAdd("s",Now + (5 * 60))) ' where 5 minutes if your session time.
'Please check the exact syntax for DateAdd and AddHeader, becoz i am typing it right here and not using Studio. :)
End if
'heres an alternative
Code:If session("Login") = "1" then
response.Write "<meta http-equiv="refresh" content="300;Login.aspx" />"
End If
First off, you mentioned a login.aspx, so you are obviously requiring users to log in to your application.
Authentication is entirely seperate from session. An authentication is passed along in a cookie (or even a url id for cookieless), so even if a session expires, the person can still be authenticated.
So..
1) What type of authentication are you using?
2) Are you using persistent cookies?
3) Are you using sliding session expiration?
Some Notes:
the best place to check for session or authentication of a request is in the global asax request_state sub.
Out-of-state session where you store session objects in SQL or another process do not signify an end of a session, therefore, the session_End event in the global asax never fires.
Can you redirect from the Session_End method? I have this, and although I see the debug statement, nothing gets redirected,
Code:protected void Session_End(Object sender, EventArgs e)
{
Debug.WriteLine("Session timeout.");
Response.Redirect("SessionTimeout.aspx");
}
Are you using inprocess state? (its the default, but if using sql server or other state containing medium, it will never fire)
If you are using inprocess, are you sure you declared the delegate to that event handler?
Other than that, it should work as expected. Note, that it may not fire until the next request from that session (i haven't work with inprocess much, so i'm unsure exactly when it will fire)
Yes, I have mode="InProc" in the web.config. I have not declared any delegate to that event handler, guess I haven't read that. However, that method is executing, as verified by the debug I see getting printed to the output window.
Just that the .Redirect business doesn't seem to do anything. .Debug does, though.
FWIW, at first I was using this in every page, and wanted to see if I could get rid of it.I use the session variable in the logon page to make visible a label that says "Session has timed out".Code:private void Page_Load(object sender, System.EventArgs e)
{
// Put user code to initialize the page here
// If it's a new session, then session has timed out.
// Redirect to logon page.
if (Session.IsNewSession)
{
Session.Add("HasTimedOut", "true");
Response.Redirect("Logon.aspx");
}
}
What type of authentication are you using?
I have authentication mode="None" in the web.config. I have a logon page, though, that validates against a database. I'm not sure if that's what you mean. FYI I'm new to the ASP part of .NET, never did regular ASP either.
Yea, that's what I meant.
Normally, if you are validating against a database, you would use forms authentication which ensures no matter how a person accesses a particular page, they would need to have been authentication to access any page beside the logon page.
So if I had used your app before... and knew the location of your RefundCustomer.aspx, i could simply type it in the url box 'http://localhost/mikesapp/refundcustomer.aspx', and never need to be authenticated because your web config doesnt require it. Whereas, if you set forms authentication, I would have to login because as soon as I hit GO with that url, the .net framework would see I haven't been issued an authentication cookie, and redirect me to the default login page you designated in the web.config.
Anyway... (more to come, thought I let you digest this first)
Ok guys what if you have a windows authentification, how do you check that the timeout has expire
Ben
Here's the thing. The app that I'm working on is an intranet app so the authentification is been done by a win 2003 server but I need to know when the timeout expires so the new user can't do a thing with the info on the browser if the last user didn't logged off
Any help will be apprecite it
Ben
Burp. I think I just digested there :)I *thought* I took care of this because (with the code posted above) if it's a new session, it forces you back to the logon page. I did test, and it does seem to work that way.Quote:
So if I had used your app before... and knew the location of your RefundCustomer.aspx, i could simply type it in the url box
I still don't get why the .Redirect does not do anything, though.
Edit: I should have clarified that "with the code posted above" I'm referring to is the stuff in Page_Load that I've been putting in every page, and not the business in the Global.asax file.
Well, the Session_End event will fire when a session expires, but I'm not 100% sure that happens when a request was made from a client, I believe it happens regardless, so if a client shut down their computer.... the event will fire in 20 mins regardless.
So that is not the place to initiate a new session, because the client may not even being using your website anymore.
Here's what I would do:
1) implement forms authentication
2) on the Global.AcquireRequestState event, check
a) if the client is authenticated
b) if the client's session is valid or new..
in the event of an expired session, you would then create a new session for them.
Perhaps the reason why the redirect does not work, because there is no request to handle, so there is no request to redirect.
Well, if the next user tried to post the data on that webpage, and the session was expired, you would have to remove the authentication, and redirect them to login again (or in Windows authentication, IE may prompt them with a login box).Quote:
Originally Posted by bencis
I'm not entirely familliar with win authentication, I would imagine it would require a user to re-authenticate if the session attached to a request had expired.
thanks, but how do you can check if the session has expired?
So is like if session.timeout = 20 then response.redirect? or anything like that?
Also how the authentification can be removed?
I'm pretty new on asp at all (if you haven't noticed :) )
Ben
Looks that way, or at least there's no Response. I tried this code and there's no exception, complaint or whatever, and yet the code just dies as soon as I try to do something with Response.Quote:
Originally Posted by nemaroller
I see this in the output windowCode:protected void Session_End(Object sender, EventArgs e)
{
Debug.WriteLine("Session timeout.");
Debug.WriteLine("Before checking Response.");
if (Response == null)
Debug.WriteLine("Response is null.");
else
Debug.WriteLine("Response is not null");
Debug.WriteLine("Done checking Response.");
...
and then nothing. No unhandled exception. I *guess* that explains why nothing is happening in my failed attempt at Response.Redirect.Code:Session timeout.
Before checking Response.
FWIW, if I had not seen this behaviour before, I might be worried. Seems to me one should get a null reference exception, object not set to instance, or whatever, if you call a method on a null object. I can't remember the why, but I've written (apparently bad) code that behaved the same way. Could never figure it out and just rewrote in a different way.
Whoops, forgot to mention that I appreciate the info, nemaroller, this is what I'll try next. Thanks for the help. :thumb:Quote:
Originally Posted by nemaroller
That's strange you don't get an error....
You sure aren't handling it a global error handler somewhere?
try appending this line of code to the end of that subroutine
Code:Debug.WriteLine(Server.GetLastError.ToString());
Yes, I'm sure I have not written a global error handler, and unhandled exceptions in my code elsewhere behave as expected, bringing you to the stack trace page (or whatever that's called).
I added that line of code to the end of the Session_End method with no change in behavior. The execution just dies the first time I try to do anything with the Response object.
So I put a break point at the first line of code in Session_End. Did a quickwatch on Response and this is what it says:
Code:Response <error: an exception of type: {System.Web.HttpException} occurred> System.Web.HttpResponse
try doing a response.write("gi") or something...
but put it in a try-catch, and then write the exception to the debug line.
I'm guessing its gonna say reponse is not valid in this context or something..
You called that one right:
So, I guess I cannot have a "global" session timeout where I can redirect back to a logon page? Not a big deal, just need to put a couple lines of code in every page.BTW, Session_End does get fired if for example, you're just sitting on a page, so I guess it doesn't really make sense to put there.Code:System.Web.HttpException: Response is not available in this context.
Guess I'll go back to plan A. Thanks for all the help, nemoroller, much appreciated.
Mike
Why cant you ?Quote:
Originally Posted by Mike Hildner
Create a session time out class and call it when you need to ?
Works a treat...
In one of your pages:Code:class Functions {
//blah here
public function RedirectMe(url as String)
Response.Redirect(url)
end function
}
Code:If Is Nothing(Session("x")) then
try
f=new Functions
f.RedirectMe("www.yahoo.com")
catch ex as Exception
Response.Write("An error Occurred: " ex.toString())
finally
f= nothing
else
'do nothing
end if
Yeah, that's about what I did - putting a little code in every page. I guess what I meant by the global business was to put it in, say Session_End. I just worry that I'll forget to put the code in a page, and it'd be nice to handle it gloablly.
This is global...Quote:
Originally Posted by Mike Hildner
My answer to you is to create a reusable class like the one i showed you.
That way you dont have to code it in every page.
I know slightly off topic, but I'm curious why you would create a class where you have to instantiate it to use the function? looks messy :ehh:
Would it not be better to create a module OR have the functions declared as shared and then just add the class to the global imports on the project?
Also, the Session_End event is just pants, better to use the Cache on a sliding expiration and get it to fire off an event :bigyello:
And for those of you who are trying to use Redirect in the Session_End even, you can't do this. Stop trying!!! please.
You should have told me that earlier :bigyello:Quote:
Originally Posted by tailz
nah you were all in full swing, wouldn't have got a post in edgeways
Besides, you might have proved me wrong as I was only 99% sure lol :p
Everyone is clear now why you can't do it right? :ehh:
I know you can't do it, but I don't know enough about it to know why. I also don't understand why if you try to do something with Response in Session_End, you don't get an exception. Know anything about that?
I knew you'd ask so I've done a diagram, picture speaks 1000 words or in this case, probably about 10 words.
Note this took me like 10 minutes of my afternoon off sick so no laughing :-P
hope it helps :D
and here is an FAQ on session states which I dug up from google that supports my diagram :D
http://www.eggheadcafe.com/articles/20021016.asp
Too late :) - thanks for the explanation.Quote:
Originally Posted by tailz