How to effectively handle session in asp.net

StackOverflow https://stackoverflow.com/questions/19954706

  •  30-07-2022
  •  | 
  •  

Question

I have one web site with multiple accounts like staff, end user and admin.

However I am creating each session while the user is logged into their account.

if (Page.IsValid)
        {
            string type_name="";
            int returnValue = DatabaseHelper.GetLogin(txtusername.Text.Trim(), txtpassword.Text.Trim(), out type_name);
            if (returnValue == 1)
            {
                if (chk_remember.Checked == true)
                {
                    if (type_name.Trim()=="Admin")
                    {
                        Response.Cookies["UName"].Value = txtusername.Text;
                        Response.Cookies["PWD"].Value = txtpassword.Text;
                        Response.Cookies["UName"].Expires = DateTime.Now.AddMonths(2);
                        Response.Cookies["PWD"].Expires = DateTime.Now.AddMonths(2);
                        Session["username"] = txtusername.Text.Trim();
                        Response.Redirect("~/Admin/Admin_Landing_page.aspx");
                    }
                    else if (type_name.Trim()=="User")
                    {
                        Response.Cookies["UName"].Value = txtusername.Text;
                        Response.Cookies["PWD"].Value = txtpassword.Text;
                        Response.Cookies["UName"].Expires = DateTime.Now.AddMonths(2);
                        Response.Cookies["PWD"].Expires = DateTime.Now.AddMonths(2);
                        Session["username"] = txtusername.Text.Trim();
                        Response.Redirect("~/EndUser/myhome.aspx");
                    }
                }
                else
                {
                    Response.Cookies["UName"].Expires = DateTime.Now.AddMonths(-1);
                    Response.Cookies["PWD"].Expires = DateTime.Now.AddMonths(-1);
                    if (type_name.Trim()== "Admin")
                    {
                        Session["username"] = txtusername.Text.Trim();
                        Response.Redirect("~/Admin/Admin_Landing_page.aspx");
                    }
                    else if (type_name.Trim()== "User")
                    {
                        Session["username"] = txtusername.Text.Trim();
                        Response.Redirect("~/EndUser/myhome.aspx");
                    }
                }
            }
            else if (returnValue == -1)
            {
                ltr_error.Text = "Authentication failed..contact administrator";
            }
            else
            {
                ltr_error.Text = "Invalid username or password";
            }
        }
    }

Here, sessions are created but how I handle them for long time as possible in ASP.NET timeout? Is that way to handle them with global.asax file?

Also, how do I redirect the user to login page if no session found in application?

-------------------------------------Updated----------------------------------------

using System;
using System.Collections;
using System.Configuration;
using System.Data;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;

public partial class WebUserControl : System.Web.UI.UserControl
{
    protected void Page_Load(object sender, EventArgs e)
    {

    }
    protected override void OnPreRender(EventArgs e)
    {
        if (Context.Session != null && Context.Session.IsNewSession)
        {
            if (this.Page.User != null && this.Page.User.Identity.IsAuthenticated)
            {
                FormsAuthentication.SignOut();
                Response.Redirect("~/Default.aspx");
            }
        }    
        base.OnPreRender(e);
    }
}
Was it helpful?

Solution

session by default lasts for 20 mins - depending on the setting in IIS and also the web.config. if session is expires, the Session_End event in the global.asax gets fired. from there, you cannot exactly redirect and would not be the right place to redirect anyway.

you should create a user control for example, which is on every page or even better a master page from which all pages derive from, then you can check on every request if Session is empty. if so, redirect to the logon page.

I have done this many times and works a treat.

I have this on a prerender event in a user control:

if (Context.Session != null && Context.Session.IsNewSession)
            {
                if (this.Page.User != null && this.Page.User.Identity.IsAuthenticated)
                {
                    FormsAuthentication.SignOut();
                    Response.Redirect("~/Login.aspx");
                }
            }
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top