Hi All,
***Urgent help need***
facing one issue, in our application after 20 min we are expiring the sesssion. and any action leads to session time out page.
which is good and expected.
now issue is once the session expires, and we open the new tab in browser we are getting same session time out message…[open the new tab should ask for login]
on subsequent opening the tab getting same time out message, but if we clear the cache and close all instance of browser we are able to get login screen.
plz help out.
Thankx
Session and authentication are not related. What is stopping you get to your login screen? Your real solution is going to be to decouple the session and the authentication. Reading between the lines it seems you are trying to tie the two together and
expire one when the other expires. Deal with your authentication as one issue. Then deal with handling session and session data as another. If session data has gone you need to either re-create it if possible, or redirect the user to a screen that tells
them their session has timed out but lets them continue with the session they have. Sending them to the login screen is not the thing to do. If your code can only work after a user has just logged in then you need to remove that dependency and allow a user
to start a new session from your "session timed out" page, as well as allowing them to start a new session after they just login.
Try clearing Session cookie
This appears to happen all of the type due to the fact that people often refer to the act of a user being logged in as a "Session" and just associate the two, which isn’t the case. You have an actual Session and Forms Authentication token, which are two
distinct concepts and have two separate timeouts.
If this is occurring after 20 minutes, it’s very likely an Idle Timeout through IIS (seen in the third section below). I’ll paste the following which I have posted in the past and contains all of the necessary steps to change all of these various
timeouts (Forms Authentication, Session and IIS Idle Timeouts) :
There are quite a few ways to set timeouts within .NET (Session Timeouts, Forms Authentication Timeouts and IIS-related Timeouts) so a few things could be going wrong here so I’ll detail each of them below.
Setting the SessionState Timeout within your web.config
You can update the timeout property of your Session State (if that is what is actually timing out) within your web.config file in the <sessionState> element as shown below (default of 20 minutes shown below):
<configuration>
<system.web>
<!-- Adjust the timeout property below -->
<sessionState mode="InProc" timeout="20"/></sessionState>
</system.web>
</configuration>
so you could simply change this to the number of minutes that you wanted. For instance 3 hours would be :
<sessionState mode="InProc" timeout="180"/></sessionState>
Setting the Forms Authentication Timeout within your web.config
You can adjust the specific timeout property of your Forms Authentication in your application by adjusting the timeout property within the <authentication> element of your web.config file. You will also want to be mindful that if you are using the slidingExpiration
property in conjunction with timeouts as they can actually expire much earlier than the timeout listed.
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="~/Login.aspx" timeout="yourTimeoutInMinutes"></forms>
</authentication>
So if you wanted to extend the amount that the authentication token stays "alive" for to say 180 minutes (3 hours), you would set it as seen below :
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="~/Login.aspx" timeout="180"></forms>
</authentication>
However, if you are using the slidingExpiration property, the authentication token can expire when half of the timeout duration has elapsed. So you’ll likely want to double your timeout value if you are using it :
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="~/Login.aspx" timeout="360" slidingExpiration="true"></forms>
</authentication>
Setting the Application IdleTimeout property within IIS
You may need to check what your timeout is configured for within IIS, as this timeout will override the timeouts defined in your web.config.
Within IIS there is a setting called Idle Timeout, which defaults at 20 minutes. This could explain your early timeout issue and you may want to consider adjusting this property within IIS. Based on your issue, this could likely be the culprit :
Scott Hanselman also addresses strange issues that can occur when dealing with timeouts when using Forms Authentication in this blog post as
well.
using windows authentication
If you’re using windows auth then the user will always be authenticated.
so just clear cookies will work?
Windows auth isn’t cookie based so clearing cookies won’t do anything, you can’t log the person out, and there is no "login" screen, they are automatically authenticated before they even hit your code.