
I have built a shopping cart that uses Session State to keep the shopping cart data while the user is browsing the store.

I have an issue where if I leave the browser window open for a long time on step1 of the shopping cart, then press "go to step 2", my actions throw an error because the step2 action assumes the session hasn't expired and the ShopCart object is in the correct state.

I would like this scenario to be nicer for my users, but I think i need to somehow detect if the session has expired so that on next request I can throw them to Step1.

I found the following code that claims to to solve the problem, but it doesn't work for me.

The IsNewSession condition is true but the condition

if ((null != sessionCookie) && (sessionCookie.IndexOf("ASP.NET_SessionId") >= 0)) {
   // handle expired session

always returns false and it never handles the invalid session. I'm confused.

Is this possible in ASP.NET (and MVC)?


3 Answers


Way 1

Put this code in the Init / Load event of Page 2...

        if (Context.Session != null)
            if (Context.Session.IsNewSession)
                string sCookieHeader = Request.Headers["Cookie"];
                if ((null != sCookieHeader) && (sCookieHeader.IndexOf("ASP.NET_SessionId") >= 0))

                    if (Request.IsAuthenticated)
                    Response.Redirect("Error Page");

Way 2

Alternative you can check whether the Session object exists before proceeding to work with it in Page 2, like this:

if (Session["Key"] != null)
   Object O1 = (Object) Session["Key"]; 

The King 's answer does not work for me. I have added FormsAuthentication.SignOut() in OnActionExcuting(). The Response.Redirect will not work!

if (Request.IsAuthenticated)

This is my complete method

public class SessionExpireFilterAttribute : ActionFilterAttribute

        public override void OnActionExecuting(ActionExecutingContext filterContext)
            HttpContext ctx = HttpContext.Current;

            // check if session is supported
            if (ctx.Session != null)

                // check if a new session id was generated
                if (ctx.Session.IsNewSession)

                    // If it says it is a new session, but an existing cookie exists, then it must
                    // have timed out
                    string sessionCookie = ctx.Request.Headers["Cookie"];
                    if ((null != sessionCookie) && (sessionCookie.IndexOf("ASP.NET_SessionId") >= 0))
                        string redirectOnSuccess = filterContext.HttpContext.Request.Url.PathAndQuery;
                        string redirectUrl = string.Format("?ReturnUrl={0}", redirectOnSuccess);
                        string loginUrl = FormsAuthentication.LoginUrl + redirectUrl;
                        if (ctx.Request.IsAuthenticated)
                        RedirectResult rr = new RedirectResult(loginUrl);
                        filterContext.Result = rr;



You need to create the Session_OnEnd method In Global.asax.cs file in your project.

this is my code and I am able to Detecting Session expiry on ASP.NET MVC

protected void Session_OnEnd(object sender, EventArgs e)
    int userid = 0;
    userid = Convert.ToInt32(Session["UserID"]);
    if (userid != 0)
        var userActivity = DependencyResolver.Current.GetService<IUserRepo>();
        var responce = userActivity.LogOutUsers(userid);
        if (responce == true)
