Session Expired Redirect

acdsky · July 19th, 2004, 08:18 AM

Hi

I have got a login page that sets a session variable (AUTH=True) after a user has been logged in sucessfully and the redirects them to Default.asp. This asp page is included on all pages that I need to secure. If the session has timed out (+-20min) the user is redirected again to the login page. How do I get them to login again and redirect them to the URL they were comming from instead of the defualt page?

Any ideas.

Regards
Marnus

bmains · July 19th, 2004, 02:55 PM

Hello,

How are you redirecting? If you are redirecting from session_end, how about tracking the last page (server variable HTTP_Referer) in it (through session or querystring) and store that and redirect based on that.

Brian

acdsky · July 19th, 2004, 03:30 PM

Hi

At the moment when the session automaticly ends as per IIS default it clears the "AUTH=True" session variable I create uppon login. So if the session expires by default, the include file redirects the user back to login.asp Because AUTH is no longer = True (on refresh or next click)

I am not using any methods with sessions to do this. I assume if I use the HTTP_Referer server variable on everypage I need to get it before the session is cleared as this value would also be cleared once the session has died.

Then I assume i need to keep this client side and cary some URL string variable accross pages...Would this be the correct way of thinking? Or would I be able to get the "last URL" variable once the session has expired?

Thanks for your reply. I appreciate anymore sugestions.

Regards
Marnus

happygv · July 19th, 2004, 09:48 PM

I am not sure if one can redirect using Session_onEnd, though it can be done, for some reason it doesn't work for me, I haven't played around it enough.

Any page you navigate to, the Server variable - HTTP_REFERER will have the URL of previous page(you came from) as its value. Though you abandon your session, these are still available.

Once the session timed out and the user is redirected to the login page, how do you notify the user that the session timed out? I assume you pass some querystring that you request on login page and based on that you show a message saying "Session expired, re-login." If so...

Then follow this way.

Code:

If Request.Querystring("Timedout")="yes" then URL=Request.ServerVariables("HTTP_REFERER")
...
...
<input type=hidden name="URL" value="<%=URL%>">

On the login page store the URL of previous page in a hidden field and once the user logs in, request for form variable URL on the page where it gets submitted and if URL not empty, redirect to that value, else land him on the default page after login.

Hope that helps.
Cheers!

_________________________
- Vijay G
Strive for Perfection

mallikarjun.jonnalagadda · January 11th, 2006, 03:51 AM

Hi acdsky

I am having problem in redirecting page to login page when the session is expired can you please explain me with code that how you redirected to the login page when session got expired. Your help is greatly appreciated. Thank you

Mallik

Lasse Bunk · January 11th, 2006, 06:26 PM

HTTP_REFERER is not always safe to use, as not all browsers send this variable. My suggestion is to put the following code in your login-check include file:
----
strRedirect = Request.ServerVariables("URL") & "?" & Request.QueryString
Response.Redirect "/login.asp?redirect=" & Server.URLEncode(strRedirect)
----

And in your login file:
----
strRedirect = Request("redirect")
If strRedirect = "" Then strRedirect = "/default.asp?auth=true"
' Login goes here
Response.Redirect strRedirect
----

Lasse

mat41 · January 11th, 2006, 07:07 PM

There are many ways to skin a cat, here is a simple but effective way.

1..When your user logs in set a session variable, EG:
session("loggedIn") = "y"

2..Then in the head of every page you would like to detect 'are they logged in' place
<%
  if session("loggedIn") <> "y" then
     response.redirect("loginPageName.asp?ses=exp")
  end if
%>

Now further down the page you may wish to show a warning, EG:

<%
   if trim(request.querystring("ses") = "exp" then
      response.write "Your session has expired, you are required to log into the ayatem again"
   end if
%>

This also prevents people from saving a page to thier favourites after logging in and trying to hit the page without logging in again. The only way to set the session variable session("loggedIn") to "y" is to log in.

Wind is your friend
Matt

osavioro · August 28th, 2006, 03:24 AM

mat41 if U do it that way and if user wishes to remain anonymous i.e. to view free content it will always get the exp_ses message ... maybe this is not the right way or U R missing something important !

I have similar problem. I am trying to detect expired session so I can display error message. I tried several method but none successfull.