Thursday, January 17, 2008

Session timeout, a tough but important issue for AJAX

I have been working on an ASP.NET web application, in .NET 2.0 using VS2005, that utilizes AJAX Control Toolkit controls to extend the usability of the application. In addition, the application is a serious business application that requires security, including encryption, authentication and authorization. And the HTTP session is an InProc mode session that expires in the default time of 20 minutes.

This of course means that if the user leaves a page on his browser for over 20 minutes the session has expired and any post back to the server will redirect the browser to the sign in page. However, if the page, for example, contains the AutoCompleteExtender control from the AJAX Control Toolkit, the user might get back to his browser and start using the extender's functionality, requiring behind the scene callbacks, but will realize that the control simply doesn't work - no error not redirection to the sign in page!?

How can I fix this? I'm researching... currently looking at this blog by Herr Ziffer about the SessionExpiredMonitor.