I’m using ASP.NET Session State to keep track of logged in users on my site.
However, one problem I’m running into is that by default ASP.NET session cookies are set to expire when the browser closes.
I’ve tried setting my own ASP.NET_SessionId cookie and modifying the cookie’s expiry using something similar to the following code:
Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddMonths(1);
None of these approaches work, they all set a second cookie with the same name.
Is there a way of changing the session cookie’s expiry?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Based on links in Joe’s answer, I figured out this approach:
public void Application_PostRequestHandlerExecute(object sender, EventArgs e)
{
UpdateSessionCookieExpiration();
}
/// <summary>
/// Updates session cookie's expiry date to be the expiry date of the session.
/// </summary>
/// <remarks>
/// By default, the ASP.NET session cookie doesn't have an expiry date,
/// which means that the cookie gets cleared after the browser is closed (unless the
/// browser is set up to something like "Remember where you left off" setting).
/// By setting the expiry date, we can keep the session cookie even after
/// the browser is closed.
/// </remarks>
private void UpdateSessionCookieExpiration()
{
var httpContext = HttpContext.Current;
var sessionState = httpContext?.Session;
if (sessionState == null) return;
var sessionStateSection = ConfigurationManager.GetSection("system.web/sessionState") as SessionStateSection;
var sessionCookie = httpContext.Response.Cookies[sessionStateSection?.CookieName ?? "ASP.NET_SessionId"];
if (sessionCookie == null) return;
sessionCookie.Expires = DateTime.Now.AddMinutes(sessionState.Timeout);
sessionCookie.HttpOnly = true;
sessionCookie.Value = sessionState.SessionID;
}
This code can be inserted in Global.asax.cs.
Method 2
I would suggest you use FormsAuthentication to track logged in users. You can use a persistent FormsAuthenticationCookie to achieve what you want.
Or if you really want to use Session State, try this technique.
Method 3
Just a guess: Maybe editing the session.configuration inside the web.config could change the cookie-expiration? You can take a look here?
Method 4
I think trying to keep session alive for a long time is the wrong approach and limits your scalability. The session cookie is pointing to a specific session that’s being maintained by IIS on the server. In general, you want session to close after the user closes their browser so as to not consume all of the available server resources for inactive users. You want session for a departing user to close and the resources made available to a new arriving user. That’s why the session cookie expires.
If you want to maintain some user state after the user closes their browser, you can always look at something like Profile. Or, if this is for something like a shopping cart, you can persist your shopping cart in a database and then reconnect that to the user when they log on again.
Method 5
Tom’s answer almost worked for me, except for casting the cookie into a variable and setting its properties. I had to set the properties of the object directly like so:
HttpContext.Current.Response.Cookies["ASP.NET_SessionId"].Expires = expiryDate; HttpContext.Current.Response.Cookies["ASP.NET_SessionId"].HttpOnly = true; HttpContext.Current.Response.Cookies["ASP.NET_SessionId"].Value = sessionState.SessionID;
I still cast the cookie into a variable to check if it’s null, and return if so.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0