Reputation: 1084
Is it possible to detect a session timeout?
As part of our security audit, we have to ensure that when a user logs out we clear the session ID (not just the session) and use a new session ID.
However, currently if a user's session simply times out, the session ID is re-used for the next session.
Is there any way to detect if a session has timed out, and create a new session ID at that time?
Upvotes: 0
Views: 157
Answers (2)
Reputation: 1084
There is this method: http://www.codeproject.com/Articles/21156/ASP-NET-HttpModule-for-handling-session-end-with-S
But it does not work in our case since we are using a server farm.
Instead I ended up using NWebsec.SessionSecurity (https://www.nuget.org/packages/NWebsec.SessionSecurity/) and it handled all of that out of the box.
Upvotes: 0
Reputation: 7591
Here is an article on session ID resuse https://support.microsoft.com/en-us/kb/899918.
Adding this code to either the logout or session_end methods
Session.Abandon();
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
And in Web.config
<sessionState regenerateExpiredSessionId="true"></sessionState>
I haven't had a need for this, however it seems like this is at the very least a good starting point for you.
Upvotes: 2
Related Questions
- Detecting imminent session timeouts in MVC and ASP.NET
- MVC 4 Detecting Session Timeout
- Specific session time out
- How to get notified of session end?
- Do some functionality on session timeout
- Session Timeout manually
- Detect Session Timeouts / Distinguish Between First Visit & Session Timeout
- Checking if Session has Timed Out
- ASP.Net Session Timeout Scenario
- Notify user when session time out in asp.net