ASP.NET Session Timeout Testing

36
votes

I'm a doing some blackbox testing of a ASP.Net website and I need to test different session timeout scenarios.

I'm not sure they fully encapsulated session timeouts. Other then leaving a page open for 20 minutes is there an easier way to force a session timeout?

10
asp.nettestingsessiontimeout
When you say black box testing, I assume that means you have no access to code, config files nor IIS? :)John Rudy
Not answering the OP's question, but related: If you only need to test the behavior when time-out is correct or not, just restart the server after logging in. The old session will be invalidHoàng Long

10 Answers

73
votes

Decrease the timeout

The easiest and most non-intrusive way to test this is probably to just decrease the timeout to a fairly small number, such as 3 or 5 minutes. This way you can pause for a few minutes to simulate a longer pause without worrying about application restarts or special reset code having any affect on your test results.

You can modify the session state timeout in a few locations - globally (in the web.config located in the config folder for the applicable .NET framework version), or just for your application.

To modify the timeout just for your application, you can add the following to your application's web.config:

  <system.web>
    <sessionState timeout="60" /> 
  ...

Alternatively, you can also modify this same setting for your application through an IIS configuration dialog (I believe you still need to have a web.config defined for your application though, otherwise Edit Configuration will be disabled).

To access this, right-click on your web application in IIS, and navigate to Properties | ASP.NET tab | Edit Configuration | State Management tab | Session timeout (minutes).

Note that you can also manipulate this setting through code - if this is already being done, than the setting in the web.config file will effectively be ignored and you will need to use another technique.

Call Session.Abandon()

A slightly more intrusive technique than setting a low timeout would be to call Session.Abandon(). Be sure to call this from a page separate from your application though, as the session isn't actually ended until all script commands on the current page are processed.

My understanding is that this would be a fairly clean way to test session timeouts without actually waiting for them.

Force an application restart

In a default configuration of session state, you can simulate a session timeout by blowing away the sessions entirely by causing the application to restart. This can be done several ways, a few of which are listed below:

  • Recycle the app pool through
    • the IIS MMC snap-in
    • the command-line (iisapp /a AppPoolID /r)
    • modifying web.config, global.asax, or a dll in the bin directory
  • Restart IIS through
    • the IIS MMC snap-in
    • services.msc and restarting the IIS Admin service
    • the command-line (iisreset)

When I mention "default configuration", I mean a web application that is configured to use "InProc" session state mode. There are others modes that can actually maintain session state even if the web application is restarted (StateServer, SQLServer, Custom).

Tamper with the state tracking mechanism

Assuming your web application isn't configured with a "cookie-less" mode (by default, cookies will be used), you could remove the cookie containing the session ID from the client browser.

However, my understanding is that this isn't really simulating a time-out, as the server will still be aware of the session, it just won't see anyone using it. The request without a session ID will simply be treated as an unseen request in need of a new session, which may or may not be what you want to test.

9
votes

Add a page to the site and call Session.Abandon()

5
votes

The easiest way would be to open the page in two different tab and logout at other tab would automatically expire session in first tab. Most of the browsers share session across the tab. So i find it very easy without modifying anything in web.config. This way you could test even if a particular feature is not handling redirect to login when session expires.

4
votes

Bounce the AppPool and session will be lost.

if you don't have direct IIS access, you can open and save Web.Config to do the same thing (Don't use notepad, it screws up the encoding).

3
votes

Make a shorter timeout.

3
votes

You can change the timeout in your webconfig

 <authentication mode="Forms">
      <forms timeout="10" protection="All" slidingExpiration="true" loginUrl="~/login.aspx" cookieless="UseCookies"/>
 </authentication>
2
votes

If you are storing your session information in a cookie, you could try deleting your cookies.

1
votes

Recycle the app pool on the server.

0
votes

You have two options:-

1- Decrease the session timeout in web.config. 2- Restart IIS or Application pool.

0
votes

I usually use the ASP .NET session state server. Apart from other benefits during development, I can simply restart the ASP .NET state service to abandon the session. If you're using the state server, simply run services.msc and restart the "ASP .NET State Service".