Thea Burger's Blog

We also used the basepage to insert some common javascript on each page and to check page security. Interestingly enough, you can't create a class file and create your basepage as a class, you have to add a webform. HTTP modules are also very nice for pre and post processing on all requests. We used it to remove all images tags from the response before it get's sent to the client.

We're also using the base page for security. Adding a webform, interesting, that is only when you include the javascript, right?

dgvbv

Why donot you set the same timeout for both Form and Session:
<authentication mode="Forms">
<forms ...
timeout="40" path="/" />
</authentication>

<sessionState
...
timeout="40"
/>

Using PageController (the base page idea) is not very scalable, but can be transferred to just about any server environment. If you use the ASP.NET forms authentication framework, then you can handle sliding expiration and specific page security without having to code it yourself. To integrate your PageController code into the FormsAuthentication framework, all you need to do is set the authentication cookie after the user logs into your application. The FormsAuthentication framework then handles the ReturnUrl parameter, so your users get redirected back to their original requested page instead of to the post-login root page. Using FormsAuthentication, though, means you have to be careful about how you add data to the authentication cookie. So if you wanted to implement sticky login (see the 'Remember Me?' at the bottom of this page), you would have to get the authentication cookie, and add your custom data to it. Adding your own cookie to the response doesn't seem to work well.

On timeouts, the session state timeout is different than the login timeout. You can set the login cookie for sliding expiration, which means it will act like a session timeout (reset with each request). If you don't set sliding expiration on the login timeout, then it will be an absolute timeout.

You can always tell if a session is expired by seeing if the session exists in a request. If your application data doesn not exist in the session, then you know the application is starting again. In that way, you can make use of a PageController to setup your application context.

Capturing the session_end event only makes sense if the session terminates in the middle of a user using the site. Since sessions are refreshed with each request, that should not be a problem (if you use sliding expiration, forms authentication, and the same timeout lengths for both session and login).

for this write the code in each page load event. suppose your session name is TEMP. then write this code in the first lines in every page_load event of every page.

if(Session["TEMP"]==null)
Response.Redirect("Login.aspx");

What if the user click Back button? how to prevent that

I want code of this sample

Setting the timeout value on the webconfig (forms section) is the easiest way to go.

Just make sure that your timeout session in IIS is greater than what you have on your webconfig file.

I expect a example.........

Instead of doing "adding a base.Page_Load(sender, e); call in the Page_Load event" You could just rewrite the InitializeComponent function like so.

private void InitializeComponent()
{
this.Load += new System.EventHandler(base.Page_Load);
this.Load += new System.EventHandler(this.Page_Load);
}

This much good solution. We need code for example for offshore crm yes.

Hi,
Can someone please give me the source code for the above base class implementation...

Thanx,

Add this class to your project and then make your web forms inherit from this class instead of System.Web.UI.Page.

==============================================

Public Class PageBase
Inherits System.Web.UI.Page

Protected Overrides Sub OnPreRender(ByVal e As System.EventArgs)
MyBase.OnPreRender(e)

If context.Session.IsNewSession = True Then
Dim strCookieHEader As String = Page.Request.Headers("Cookie")
If Not strCookieHEader Is Nothing Then strCookieHEader = strCookieHEader.ToLower
If Not strCookieHEader Is Nothing AndAlso strCookieHEader.IndexOf("asp.net_sessionid") >= 0 Then
If Page.Request.IsAuthenticated = True Then
System.Web.Security.FormsAuthentication.SignOut()
End If
Page.Response.Redirect("SessionOut.aspx")
End If
End If
End Sub
End Class

Note about the above post.

What this does is check to see if Session.IsNewSession = True and also if the Session Cookie exists. If the session cookie is there and the session is new then an expiration must have occured.

If I close the browser window, session_end doesn't get fired.
I want to do some updations in database when the user tries to close the window wiithout cliking on 'Logout' button provided.
What's the solution.
- Swapna

When, i try to use response.redirect it is throwing an exception saying thread already aborted. In this scenario, how can i redirect to another page. Even server.transfer also gives the same error.

You redirecting in a try catch block.

catch this exception but do not handle it, only way I've found to get rid of it.

How can i end a session when other user logins with same username & password
in other systems

IF i can set session timeout more than 20 mins, does it will make any affect on server, if end user simply close IE?