How to know if session has expired in ASP.NET

It’s not advisable to rely in Session state for keeping important information in our ASP.NET apps. When a session expires in our app, we may find a lot of problems. If we need to use Session state, at least it will be useful to know if the current session has expired or not, and know it using the most professional and self-contained way possible.
This method is based on a not widely known property of the HttpContext class: IsNewSession. This property returns True only when a user session has just been created in the current request. A session is created when a session variable is created for the very first time. In doing so, a header containing the session identifier is sent to the client. This identifier is sent by the browser to the server in each request later, this way we are able to know the session that belongs the request. This header is actually a cookie which is active while the session is active (session cookie) since never is stored in a hard disk. This cookie is known as “ASP.NET_SessionId”.
The browser doesn’t know if the session has expired in the server, so it keeps sending the header all the time. Therefore, finding an expired session by this system is based on the fact that when the session expires, a new session is created in the next request. “ASP.NET_SessionId” exists in the browser’s requests only in active or expired sessions. So we can know that a session has just expired when a new session is created and at the same time there is such a header in the request. Simple, but let’s see how it’s implemented…
In code, this condition would be like this:

public static bool IsSessionTimedOut()

{

HttpContext ctx = HttpContext.Current;

if (ctx == null)

throw new Exception("This method can only be used in a web application");

//First we check if there is a session

//(for instance if EnableSessionState=false)

if (ctx.Session == null)

return false; //If there isn't a session, it cannot expire

//We check if a new session has been generated in this request

if (!ctx.Session.IsNewSession)

return false; //If it's not a new session it hasn't expired

HttpCookie objCookie = ctx.Request.Cookies["ASP.NET_SessionId"];

//In theory this can't happen because if there is a

//new session the cookie should exist, but I check on it because

//IsNewSession can give True without being true (read more in the post)

if (objCookie == null)

return false;

//If there is a value in the cookie i's because there is a previous session value, but since it

//is new it shouldn't appear, so we deduce the previous version has expired

if (!string.IsNullOrEmpty(objCookie.Value))

return true;

else

return false;

}

Comments were added to improve code readability.
As we can see, the first thing we do is to get a reference of the current context of the web request (if this doesn’t exist it is because it’s not a web application). Next we check if there is a session. There is not always a session since we can deactivate session management for a page or for the whole application from the web.config. Then, we check if there is a new session using the IsNewSession property. After that, we try to get a reference to the session cookie. If there is no cookie it is because it’s the first time that the session is created for the current user, but if there is a cookie and it contains some value it is because there was a session previously and therefore it had expired.
Hope this helps!