How to implement or configure hard session expiry in ASP.NET?

I can set a 20 minutes timeout for the sessions which means if the user doesn't make a request within the 20 minutes period, his/her session expires.

<sessionState timeout="20" />

But what I need is to be able to expire the session after a certain time no matter the user is still sending requests.

For example, after 4 hours the session must be expired no matter the user sends another request or not; that's to prevent malwares to abuse the default session behaviour...

How to configure or implement it in ASP.NET?

I hoped there would be a config setting but I couldn't find one?

Many thanks

Upvotes: 0

Answers (3)

The Light

Reputation: 27021

This has a code sample and exactly what I want:

http://pooyakhamooshi.blogspot.co.uk/2012/10/how-to-implement-hard-session-expiry-in.html

Upvotes: 0

Onur Topal

Reputation: 3061

As Oded mention you should also store the first login time in session on session start event. and when you are reading the session check the time and use Session.Clear();

and easy way the check session start time access it using a global property.

public User CurrentUser
{
    get 
    {
         User user = (User)Session["CurrentUser"];
         if (user.startTime > "4 hours") // you can do it what ever you want.
             Session.Clear(); //or .Abandon(); [Check Here][1]

         return (User)Session["CurrentUser"]
    }
}

Check Here

Upvotes: 0

Oded

Reputation: 499132

There is no configuration setting for this requirement as it is rather unique.

You can implement this by issuing a cookie to the client when it first connects - check this cookie on every request and start rejecting it when 4 hours have passed. You can either store this start time in a cookie or in a Session variable.

Upvotes: 1

How to implement or configure hard session expiry in ASP.NET?

Answers (3)

Related Questions