ASP.NET mixed windows/forms authentication problem with session objects

Question

Weird problem here, we're running a few mixed environment web applications, that use Windows or Forms authentication depending on where the user comes from.

I'm curious how everyone else might be handling expired sessions to avoid the errors you would get from someone leaving an idle session open for too long and then trying to resume work, mainly looking for best practices on the subject.

Any suggestions or opinions would be greatly appreciated.

Thanks,

Answer 1

I'm not sure how your authentication method affects session timeouts, the mechanism they use to get in shouldn't affect how long they can stay in.

Generally speaking, if someone does have an expired session, you can add code to check to see if their session is active. If it isn't, just redirect them to a login page, or display some other friendly text.

Basically something like:

if (Session.IsNewSession) 
   Response.Redirect("login.aspx");

Answer 2

• Don't store unnecessary information on the session.
• If you are storing something you can reload, have the appropriate code that will reload it if it wasn't found in the session
• Consider if some processes are meant to be handled in long periods of time, in which case save intermediate info to the database.
• If the user is doing a process that uses the session, and the data is missing, take them to step 1 (not much you can do about it, if you don't have the info elsewhere).