Best practice for redirecting to a page when the user session expires

Question

I have tried things from this SO question. But it didn't help me. All answers seem not working. I don't want to check whether Session is null or not and redirect to other page in every method. I tried to redirect in Session_end event, but it is not working because it does not have an HTTP context associated with it.

So, what is the best practice?

Thanks.

Answer 1

Best practice is not to redirect in a case like this.

Let's say you are a user on a website, and you want to go to http://example.net/theInterestingBit.

Now let's imagine your session has expired.

Was what you wanted that you would go to /theInterestingBit if your session was alive, but otherwise you would go to /someLoginPage "successfully"? Probably not.

What you wanted was to go to /theInterestingBit and not care about "sessions" because that's something for programmers to worry about not you. That you failed to do so isn't a success condition, it's an error condition.

So don't redirect, instead use HttpServerUtility.Transfer or HttpContext.RewritePath so that the user still goes to /theInterestingBit but that becomes a login page or other appropriate means to start a new session. Make sure the response uses a status-code of 403 so it's appropriately noted as an error page, rather than a "successful" response.

Do this in either global.asax or in an implementation of IHttpModule, in response to the PostAcquireRequestState event (because that is the event that fires after the appropriate session - or lack thereof - has been set). You could also do it in a handler for BeginRequest if you were already doing something there anyway. global.asax is easier to add in quickly, but modules are more easily re-used or set to work for certain sections of an application and not others.