Skip to main content

How to know if session has expired in ASP.NET


It’s not advisable to rely in Session state for keeping important information in our ASP.NET apps. When a session expires in our app, we may find a lot of problems. If we need to use Session state, at least it will be useful to know if the current session has expired or not, and know it using the most professional and self-contained way possible.
This method is based on a not widely known property of the HttpContext class: IsNewSession. This property returns True only when a user session has just been created in the current request. A session is created when a session variable is created for the very first time. In doing so, a header containing the session identifier is sent to the client. This identifier is sent by the browser to the server in each request later, this way we are able to know the session that belongs the request. This header is actually a cookie which is active while the session is active (session cookie) since never is stored in a hard disk. This cookie is known as “ASP.NET_SessionId”.
The browser doesn’t know if the session has expired in the server, so it keeps sending the header all the time. Therefore, finding an expired session by this system is based on the fact that when the session expires, a new session is created in the next request. “ASP.NET_SessionId” exists in the browser’s requests only in active or expired sessions. So we can know that a session has just expired when a new session is created and at the same time there is such a header in the request. Simple, but let’s see how it’s implemented…
In code, this condition would be like this:
public static bool IsSessionTimedOut()
{
   HttpContext ctx = HttpContext.Current;
   if (ctx == null)
      throw new Exception("This method can only be used in a web application");
 
   //First we check if there is a session
   //(for instance if EnableSessionState=false)
   if (ctx.Session == null)
      return false; //If there isn't a session, it cannot expire
 
   //We check if a new session has been generated in this request
   if (!ctx.Session.IsNewSession)
      return false; //If it's not a new session it hasn't expired
 
   HttpCookie objCookie = ctx.Request.Cookies["ASP.NET_SessionId"];
   //In theory this can't happen because if there is a
   //new session the cookie should exist, but I check on it because
   //IsNewSession can give True without being true (read more in the post)
   if (objCookie == null)
      return false;
 
   //If there is a value in the cookie i's because there is a previous session value, but since it
   //is new it shouldn't appear, so we deduce the previous version has expired
   if (!string.IsNullOrEmpty(objCookie.Value))
      return true;
   else
      return false;
}
Comments were added to improve code readability.
As we can see, the first thing we do is to get a reference of the current context of the web request (if this doesn’t exist it is because it’s not a web application). Next we check if there is a session. There is not always a session since we can deactivate session management for a page or for the whole application from the web.config. Then, we check if there is a new session using the IsNewSession property. After that, we try to get a reference to the session cookie. If there is no cookie it is because it’s the first time that the session is created for the current user, but if there is a cookie and it contains some value it is because there was a session previously and therefore it had expired.
Hope this helps!

Comments

Post a Comment

Popular posts from this blog

ASP.NET MVC - Set custom IIdentity or IPrincipal

Here's how I do it. I decided to use IPrincipal instead of IIdentity because it means I don't have to implement both IIdentity and IPrincipal. Create the interface interface ICustomPrincipal : IPrincipal { int UserId { get ; set ; } string FirstName { get ; set ; } string LastName { get ; set ; } } CustomPrincipal public class CustomPrincipal : ICustomPrincipal { public IIdentity Identity { get ; private set ; } public bool IsInRole ( string role ) { return false ; } public CustomPrincipal ( string email ) { this . Identity = new GenericIdentity ( email ); } public int UserId { get ; set ; } public string FirstName { get ; set ; } public string LastName { get ; set ; } } CustomPrincipalSerializeModel - for serializing custom information into userdata field in FormsAuthenticationTicket object. public class CustomPrincipalSerializeMode...
8 comments
Read more

Validate credit card number with Mod 10 algorithm in C#

Introduction All you know what information contains in your NIC number. But do you know what information contains in the Credit Card Number? Following article provides brief details about what information contain in your credit card and demonstrates to how to validate credit card number using mod 10 (Luhn) algorithms with C#. Background  Card Length   Typically, credit card numbers are all numeric and the length of the credit card number is between 12 digits to 19 digits.  14, 15, 16 digits – Diners Club 15 digits – American Express 13, 16 digits – Visa 16 digits - MasterCard   For more information please refer  http://en.wikipedia.org/wiki/Bank_card_number . Hidden information  Major Industry Identifier (MII)   The first digit of the credit card number is the Major Industry Identifier (MII). It designates the category of the entry which issued the card.     1 and 2 – Airlin...
1 comment
Read more

Tip/Trick: Fix Common SEO Problems Using the URL Rewrite Extension

Search engine optimization (SEO) is important for any publically facing web-site.  A large % of traffic to sites now comes directly from search engines, and improving your site’s search relevancy will lead to more users visiting your site from search engine queries.  This can directly or indirectly increase the money you make through your site. This blog post covers how you can use the free Microsoft  URL Rewrite Extension  to fix a bunch of common SEO problems that your site might have.  It takes less than 15 minutes (and no code changes) to apply 4 simple  URL Rewrite  rules to your site, and in doing so cause search engines to drive more visitors and traffic to your site.  The techniques below work equally well with both ASP.NET Web Forms and ASP.NET MVC based sites.  They also works with all versions of ASP.NET (and even work with non-ASP.NET content). [In addition to blogging, I am also now using Twitter for quick updates and to sh...
Post a Comment
Read more