Sign in to follow this  
capn_midnight

[.net] ASP.NET session time outs, cookies, utter [crap]

Recommended Posts

This one is driving me nuts. I'm having a problem with a session timeouts. I have a lot of popup windows, and if the user were to let their session timeout, then try to reuse a popup window, it will redirect the popup to the login page, allow the person to login, and then proceed to load the main page in the tiny little popup window. The client has decided to latch on to this particular problem, they absolutely hate it. (how I feel about them will be left unmentioned) My initial fix was to have the login page check to see if it was in a popup window and the freak out if it was. This was easy since all of our popup windows had names. I could check the current window.name value in javascript; if it was blank then it was in the main application window and not a little popup. Once I determined that a popup had loaded the login page, there wasn’t much I could do about it, but I informed the user via a confirm dialog and asked them if the app should try to close the old browser windows. Most of the time this doesn’t work, but at least we can try. Finally it opens a new window of the right dimensions and toolbar features, loads up the login page, adds a message about the session timeout, and informs the user that they should clear out any windows that might remain open from the previous session. Okay, great, that will do. Unfortunately, we only use the login page for local testing and on the development server. We use the integrated Windows authentication dialog on the staging and client servers. So there’s a good chunk of completely wasted time. My next idea (and you can probably tell me if I’m insane or not) is to store an integer value in Session and increment it every time a page loads. I can do this easily as all the pages in app inherit from one class. At the same time, I could store another integer value in a cookie on the user’s machine, and increment that every time a page loads as well. If the session times out, then we lose the first counter and it gets reset to 0, but the cookie counter is still valid. So, if the two counters don’t match, then I feel I can say with confidence that the session has timed out. Unfortunately, I can’t seem to write a cookie to save my life, and it’s probably my fault. Here’s a snippet of code:
/**
		* begin session timeout handling code
		* */
		protected override void OnLoad(EventArgs e)
		{
			base.OnLoad (e);
			Response.AppendHeader("refresh", (Session.Timeout * 60).ToString());
			Response.Write("<!-- p"+PageHitCount+":c"+CookieHitCount+", id:" + Session.SessionID+", t"+Session.Timeout+"-->\n");
		}
		private int CookieHitCount
		{
			get
			{
				HttpCookie cookie = Request.Cookies["IRRIS60"];
				int _ckHit = -1;
				if(cookie == null || cookie.Values["CookieHitCount"] == null)
				{
					_ckHit = 0;
				}
				else
				{
					_ckHit = int.Parse(cookie.Values["CookieHitCount"]);
				}
				cookie = new HttpCookie("IRRIS60");
				cookie.Values.Add("CookieHitCount", (_ckHit + 1).ToString());
				cookie.Expires = DateTime.Now.Add(new TimeSpan(1, 23, 59, 59, 999));
				cookie.Secure = true;
				Response.AppendCookie(cookie);
				return _ckHit;
			}
		}
		private int PageHitCount
		{
			get
			{
				if(Session["PageHitCount"] == null)
				{
					Session.Add("PageHitCount", 0);
				}
				int _pgHit = (int)Session["PageHitCount"];
				Session["PageHitCount"] = _pgHit + 1;
				return _pgHit;
			}
		}


This code goes in the Base Page class. The PageHitCount works fine, incrementing the value each time its called. The CookieHitCount property does not work, it consistently returns 0. Obviously, no cookie is getting stored on the user’s machine. What am I doing wrong with the cookie? Any better sollutions to handling a timeout?
edited by evolutional - naughty words in title :P [Edited by - evolutional on September 1, 2005 9:20:45 AM]

Share this post


Link to post
Share on other sites
On a glance the code looks ok. You might want to set your browser to prompt for each cookie set to verify that it is sent. If it is sent, it probably would be a cookie timeout issue.

I'll attached a code I had working

HttpCookie cookie = new HttpCookie(".ASPXAUTH");
cookie.Value = Cryptography.Encrypt(userName);
cookie.Expires = DateTime.Now.AddYears(1);
Page.Response.Cookies.Add(cookie);

Probably the only difference we had are the .Secure.

On initial thought I was going to suggest to not care about session timeout and recreating the user IPrincipal with the Application.BeginRequest or AuthenticateRequest, but on second thought that would be a serious security loophole. My question was, why do you need to 'say with confidence that the session has timed out'? If the session does not exist, it is timed out, the Page.User or/and Page.User.Identity would be null. What more gurantees do you need? If you are using Windows Authetication, wouldn't furthur accessing the page prompts the dialog again? (Assuming all your resources are locked with an entry in web.config the allowed roles and users)

Share this post


Link to post
Share on other sites
Quote:
Original post by dot
On initial thought I was going to suggest to not care about session timeout and recreating the user IPrincipal with the Application.BeginRequest or AuthenticateRequest, but on second thought that would be a serious security loophole. My question was, why do you need to 'say with confidence that the session has timed out'? If the session does not exist, it is timed out, the Page.User or/and Page.User.Identity would be null. What more gurantees do you need? If you are using Windows Authetication, wouldn't furthur accessing the page prompts the dialog again? (Assuming all your resources are locked with an entry in web.config the allowed roles and users)


yes, this is all true. However, we have a couple of small popup windows that display important information from time to time. The client has users that leave these windows open for long periods of time, not doing anything else. So, after an hour or so, long after the session has timed out, the go to do something else, get hit with the login interface (which they fill out) and then are sent to the main page *in the tiny, little popup window*. So that is the problem, to avoid opening the main page in the tiny, little popup window.

by the time I have a chance to do anything, the user has started a new session. I need to either A) catch that period of time when the session is still zonked out, or B) tell when a user has started a new session directly after an old session (and not two days after an old one).

Share this post


Link to post
Share on other sites
Quote:
Original post by Wolfmanyoda
What about users that have cookies disabled?

We can dictate the client setup to a certain degree. This isn't exactly a publically available site. We already have defined that users must run IE and at least 1024x768 resolution.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this