Skip to main content

How to know if session has expired in ASP.NET


It’s not advisable to rely in Session state for keeping important information in our ASP.NET apps. When a session expires in our app, we may find a lot of problems. If we need to use Session state, at least it will be useful to know if the current session has expired or not, and know it using the most professional and self-contained way possible.
This method is based on a not widely known property of the HttpContext class: IsNewSession. This property returns True only when a user session has just been created in the current request. A session is created when a session variable is created for the very first time. In doing so, a header containing the session identifier is sent to the client. This identifier is sent by the browser to the server in each request later, this way we are able to know the session that belongs the request. This header is actually a cookie which is active while the session is active (session cookie) since never is stored in a hard disk. This cookie is known as “ASP.NET_SessionId”.
The browser doesn’t know if the session has expired in the server, so it keeps sending the header all the time. Therefore, finding an expired session by this system is based on the fact that when the session expires, a new session is created in the next request. “ASP.NET_SessionId” exists in the browser’s requests only in active or expired sessions. So we can know that a session has just expired when a new session is created and at the same time there is such a header in the request. Simple, but let’s see how it’s implemented…
In code, this condition would be like this:
public static bool IsSessionTimedOut()
{
   HttpContext ctx = HttpContext.Current;
   if (ctx == null)
      throw new Exception("This method can only be used in a web application");
 
   //First we check if there is a session
   //(for instance if EnableSessionState=false)
   if (ctx.Session == null)
      return false; //If there isn't a session, it cannot expire
 
   //We check if a new session has been generated in this request
   if (!ctx.Session.IsNewSession)
      return false; //If it's not a new session it hasn't expired
 
   HttpCookie objCookie = ctx.Request.Cookies["ASP.NET_SessionId"];
   //In theory this can't happen because if there is a
   //new session the cookie should exist, but I check on it because
   //IsNewSession can give True without being true (read more in the post)
   if (objCookie == null)
      return false;
 
   //If there is a value in the cookie i's because there is a previous session value, but since it
   //is new it shouldn't appear, so we deduce the previous version has expired
   if (!string.IsNullOrEmpty(objCookie.Value))
      return true;
   else
      return false;
}
Comments were added to improve code readability.
As we can see, the first thing we do is to get a reference of the current context of the web request (if this doesn’t exist it is because it’s not a web application). Next we check if there is a session. There is not always a session since we can deactivate session management for a page or for the whole application from the web.config. Then, we check if there is a new session using the IsNewSession property. After that, we try to get a reference to the session cookie. If there is no cookie it is because it’s the first time that the session is created for the current user, but if there is a cookie and it contains some value it is because there was a session previously and therefore it had expired.
Hope this helps!

Comments

Popular posts from this blog

ASP.NET MVC - Set custom IIdentity or IPrincipal

Here's how I do it. I decided to use IPrincipal instead of IIdentity because it means I don't have to implement both IIdentity and IPrincipal. Create the interface interface ICustomPrincipal : IPrincipal { int UserId { get ; set ; } string FirstName { get ; set ; } string LastName { get ; set ; } } CustomPrincipal public class CustomPrincipal : ICustomPrincipal { public IIdentity Identity { get ; private set ; } public bool IsInRole ( string role ) { return false ; } public CustomPrincipal ( string email ) { this . Identity = new GenericIdentity ( email ); } public int UserId { get ; set ; } public string FirstName { get ; set ; } public string LastName { get ; set ; } } CustomPrincipalSerializeModel - for serializing custom information into userdata field in FormsAuthenticationTicket object. public class CustomPrincipalSerializeMode...

Validate credit card number with Mod 10 algorithm in C#

Introduction All you know what information contains in your NIC number. But do you know what information contains in the Credit Card Number? Following article provides brief details about what information contain in your credit card and demonstrates to how to validate credit card number using mod 10 (Luhn) algorithms with C#. Background  Card Length   Typically, credit card numbers are all numeric and the length of the credit card number is between 12 digits to 19 digits.  14, 15, 16 digits – Diners Club 15 digits – American Express 13, 16 digits – Visa 16 digits - MasterCard   For more information please refer  http://en.wikipedia.org/wiki/Bank_card_number . Hidden information  Major Industry Identifier (MII)   The first digit of the credit card number is the Major Industry Identifier (MII). It designates the category of the entry which issued the card.     1 and 2 – Airlin...

Web Services Description Language Tool (Wsdl.exe)

Ref:  https://msdn.microsoft.com/en-us/library/7h3ystb6(VS.80).aspx The Web Services Description Language tool generates code for XML Web services and XML Web service clients from WSDL contract files, XSD schemas, and .discomap discovery documents. wsdl [options] {URL | path} Argument Description URL The URL to a WSDL contract file (.wsdl), XSD schema file (.xsd), or discovery document (.disco). Note that you cannot specify a URL to a .discomap discovery document. Path The path to a local WSDL contract file (.wsdl), XSD schema file (.xsd), or discovery document (.disco or .discomap). Option Description /appsettingurlkey: key or /urlkey: key Specifies the configuration key to use in order to read the default value for the URL property when generating code. When using the   /parameters   option, this value is the   <appSettingUrlKey>   element and contains a string. /appsettingbaseurl: baseurl or /baseurl:...