What is the best way to redirect to the login page when the session expires. I'm using

sessionState mode="InProc"

Can I set this in the web.config file?

The trick to remember about the session expiration is that this happens in the the worker process running behind the scenes and there is no direct way to notify the user without going back to the server to check the state of things.

What I do is I have the page register a Javascript block that will redirect the user to the login page again after the designated timeout:

Page.ClientScript.RegisterStartupScript(Me.GetType, "TimeoutScript", 
"setTimeout(""top.location.href = '~/Login.aspx'""," &
 ConfigurationManager.AppSettings("SessionTimeoutMilliseconds") & ");", True)

You'll notice that I have the actual milliseconds stored in my web.config file so that I can adjust the timeout length as needed.

Using this, combined with the typical Session_End event in the Global.asax file makes a pretty clean way of handling session timeouts in my web apps.

Kind of a late reply, but, if you're using the standard asp.net membership provider you could also use the config below.

The basic idea for this is to have your authentication cookie + session expire at the same time. The automatic behaviour of asp.net would be to take you back to the defined login page. The "slidingExpiration" attribute on the auth cookie would need to be 'true' to keep extending it's life while the session is active.

<system.web>
  <sessionState mode="InProc" cookieless="false" timeout="20" />
  <authentication mode="Forms">
    <forms name=".SAMPLESITEAUTH" loginUrl="~/Login.aspx" protection="All" timeout="20" slidingExpiration="true" path="/" cookieless="UseCookies"></forms>
  </authentication>
</system.web>

One option instead of setting a client side timer to blindly redirect, is to have the timer hit a small webservice which could indicate if the user should be redirected. What this does is give you a lot more flexibility you could redirect a user under many cases including:

• Session Expired
• Same user account logged in from another machine
• Site is going into to maintneance mode and you want to kick users out.

I've used this method with a lot of success, for handling multiple user accounts. As for handling session you'd prolly want to listen for the session timeout even then store in a hash table whose session timed out.

When that user calls the web service you remove them from the hash and tell the client code to redirect them.

Another nice thing about this type of system is you can track when the browser hits the server, so you can get a better sense of who is still online.

EDIT

In Response to Comment Bellow:

I don't think calling a public method would be cleaner. As soon as you do this you make an assumption that all pages share a single master page or common base class. I wouldn't want to make that assumption. Additionally, if you intend to use the PageMethods approach this won't work since PageMethods must be static.

I'm not exactly sure what your intention is but if you were going to call this method on each request then I would do that using a http module and hook into the pipeline; however, this only works when a request is made. By using a web service with a client side timer you can redirect the user even if they are not making any requests.

Can you tie into the Session_End event in the Global.asax file?

Bellow Answer is the best example ever and ever......

Better to try this way:

Page.ClientScript.RegisterStartupScript(Me.GetType, "TimeoutScript", "setTimeout(""top.location.href = '~/Login.aspx'""," & ConfigurationManager.AppSettings("SessionTimeoutMilliseconds") & ");", True)

You'll notice that I have the actual milliseconds stored in my web.config file so that I can adjust the timeout length as needed.

Using this, combined with the typical Session_End event in the Global.asax file makes a pretty clean way of handling session timeouts in my web apps.

Regards, Nagaraju R || Dell PerotSystems ||