I have got a doubt. Can u pls clarify it asap.
I would like to redirect the user to login page, when session is timed out. Can we use executionTimeout method of httpRuntime object in the web.config file. Please send me a reply asap with an example. Also is there any other method with which i could achieve this.
There are two things which we need to consider here. We will talk about Forms authentication, the commonly used one. When a user logs in, we set FormsAuthentication Cookie and set its expiration to say N minutes. So the cookie will die in N minutes. In your web.config you will have Session Timeout to be same M minutes (usually 30 minutes, can be found in web.config file). First thing we need to do it make sure N=M (Yes, both should be same. Say N=M=30 minutes). Now next thing to look at is Session. Whenever we as a user makes a request to application, the Session slides (in other words Web Server will extend the expiration time to another M minutes). But by Default Forms Authentication will not. So if you have user who logged into system at 10:00AM, so his FormsAuthenticationTicket has expiration of 30 minutes and session is 30 minutes as well. User does nothing, so both session and FormsAuthenticationTicket will expiry at 10:30. But user now makes a request to Server at 10:29AM. Sever will now extend Session till 10:59AM, but FormsAuthenticationTicket is still at 10:30, so user will now be logged out at 10:30AM (we still have all session variables). Now our step is to align these both. Web.Config has
tag which has a property called slidingExpiration. We need to set this to true. Doing so will extend the FormsAuthenticationTicket for another N (30)minutes. As both Session and FormsAuthenticationTicket wil behave in same we wont have any troubles with the expirations anymore.
Having said that, there is a slight problem here. Whenever we redeploy the Application in Live, the whole Application restarts, killing all Sessions, but not the FormsAuthenticationTicket (as it is stored in client side). It is good idea to get clients off the application, when we are doing a deployment. But if we cant do that, we have to do a check in Global.asax file for PreRequestHandlerExecute or BeginRequest method to see if (Session.IsNew is true and User.IsAuthenticated = true) then we Signout the user and throw them to Login.aspx.