Ref: http://msdn.microsoft.com/en-us/library/vstudio/ms178581(v=vs.100).aspx?cs-save-lang=1&cs-lang=vb#code-snippet-1
A session is considered active as long as requests continue to be made
with the same SessionID value. If the time between requests for a
particular session exceeds the specified time-out value in minutes,
the session is considered expired. Requests made with an expired
SessionID value result in a new session.
I want to make sure I understand that paragraph correctly. From that I read that ASP.NET Sessions work on a Sliding rule, not an absolute rule. That is, a Session will expire 20 minutes after the LAST request to the session (assuming the 20 min default here for argument sake), not absolutely 20 minutes later from the start of the session regardless of request/session activity? I got that right?
Yes you understood it right.
As the docs say each request to the session will reset the 20 min countdown.
Related
I have an ASP.NET MVC application. I have the following:
<sessionState timeout="60" />
My question is that if a user goes on a page and takes more than 60 minutes to fill out all the fields on the page, will that constitute a timeout? What constitutes a timeout? Does a user need to go through different pages so timeout will not happen?
Simple answer is - Yes, a person taking more than the timeout (60 minutes in your example) on the same page would cause a timeout.
Session is server side, so if no requests are sent to the server for the timeout period - the session will expire and all the saved session variables will be lost.
To complicate things a little bit, if your page is making AJAX calls to the server - those could keep the session alive without navigating to a different page.
session data is stored for 60 minutes from the last request. So, if you access a page and something is stored as session data for you, it will be automatically removed after 60 minutes unless you have made a new request within this time period.
you shouldn't try to use sessions to store data for long periods of time.
var user=Db.GetUser();
Session["User"]=user;
var user=Session["user"] as List<User>;
I can assume you are looking for session expiration time.
This is a link to HttpSessionState collection
And you can change the time through your code as well:
Session.Timeout = 200; //in minutes
BTW: more information about sessions
Regarding the comments, max time cannot be more than 525600 minutes, so:
Session.Timeout = 525600;
Or through web config (that is easy BTW) as mentioned in the links
But you have to take into account that then all session will be in the server memory at some point IIS will recycle the app pool. And you will lose all sessions, even the active one. And moreover, you will face huge performance issues as well.
I would not recommend keeping the session long. You just check if session expired then call DB again.
My site uses ASP.Net MVC 5.2.2 and ASP.Net Identity 2.1.0. In CookieAuthenticationOptions I set the ExpireTimeSpan to 30 minutes and the security stamp validation interval is set to 2 minutes (so that users will be booted out within two minutes of a call to UserManager.UpdateSecurityStampAsync.
The problem is that if users remain idle for longer than 2 minutes and then click on the Sign Out button, the site fails to log them off. After a bit of sleuthing, I found that in these cases the server returns a new application cookie (the cookie sent to the server was different than the one returned from it). What seems to be happening is that the owin code misses the call to AuthenticationManager.SignOut and goes ahead with the generation of a new application cookie, as it normally would have in cases where the old one is more than two minutes old.
Has anybody else encountered this issue? Any suggestions on how to diagnose and fix?
I am using VS 2013 Update 3, but this issue existed with previous versions of Identity.
UPDATE:
As an experiment, I created a brand new ASP.NET Web Application project with the VS 2013 Update 3 templates and noticed the exact same issue: I logged in and then waited for an amount of time equal to the security stamp validateInterval (by default, 30 minutes). After that I clicked the Log Off link and noticed that, just like in my own project, a) I was not logged out, and b) a new security stamp cookie was issued to me. I had to click the link a second time to be logged out. In fact, I didn't even need to sit idle for 30 minutes: I could keep making requests during that period and the click to the log out button would still fail, as long as it was the first request after the 30-minute interval expired.
This seems to be a bug in the OWIN identity code. Basically, if the first request after the validation interval is a signout request, it fails, because the code that validates and issues a new security stamp does not check if the user has logged out as part of the same request. Log out requests will fail, as long as they are part of a request that would cause the re-issuance of the security stamp -- i.e. the first request that is after validationInterval minutes since issuance of the previous security stamp.
I would appreciate it if somebody could confirm this behavior. You don't have to wait 30 minutes and do not have to create a new project. Just take an existing project that uses Identity, temporarily set the validation interval to something really short (30 seconds or a minute), log in, and ensure that the first request after the interval expires is a click on the Logout button. If this is a bug, you should notice that you are still logged in.
I also experienced the same issue.
I resolved the issue by changing my AuthenticationManager.SignOut to specify an authentication type as follows:
AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie, DefaultAuthenticationTypes.ExternalCookie);
Also, your OWIN components should be on version 3.0.0 (Which should be the case, since you're using Identity 2.1.0)
I need to set a cookie which expires after 4 hours. Now, the users can reside in multiple timezones. So, if I set the cookie in rails and set expiry based on server time, would it lead to invalid expiry times for some users or does rails handle this issue or does browser cookies themselves handle this issue ? Should I set this cookie in javascript, so that user's browser time is taken to set the expiry?
Thanks!
I think you want to expire cookie after 4 hours since it was set. You just need to specify time that should be ahead of 4 hours from current time. There is no concern with timezone. Because 4 hours is same for all timezones :P
cookies[:login] = { value: "XJ-122", expires: 4.hour.from_now }
Source
I have a fairly simple web app that uses cookies to store some information about the user and to authorize them on each request. When the user first logs into the site a cookie is created and some encrypted information is stored in there, the expiration is set for the current time plus 24 hrs.
What I want to achieve is that whilst a user is moving through the web app their expiration date is constantly being increased to be 24 hrs from the current time.
What is the best way to do this? Should I be using a attribute on the controller?
You could write a custom action filter that will execute before each action. This filter will read the cookie from the request and set a new cookie with the same name and value but with a new expiration date.