0

In startup.cs I configure session with no timeout

services.AddSession(options =>
        {
            //options.IdleTimeout = TimeSpan.FromSeconds(10); no time out
            options.Cookie.HttpOnly = true;
            options.Cookie.IsEssential = true;
        });

How can I change that timeout programmatically in a controller? Is there a way to set a timeout for one specific session variable? if not how can I achieve a form session where after a certain time the form wont take submission and redirects to the home page?

Improve this question

1 Answer 1

Reset to default
1

No, you can not alter session timeout in the controller. If you want to ensure that a form can not be submitted at some time after it has been rendered then you can do the following:

If you are using sessions:

  1. When user requests a form (view) then store the current date and time in the session
  2. When user submits that form then read the current date and time from the session and compare it to current date and time. If too much time has passed (or the session has expired, in which case the date and time in the session no longer exist) then simply re-display the original view (with maybe some label or something that the user took too much time)
    Note: You want to make sure that the session timeout is greater than the time you have specified when the form starts to become too old. For example if the user can not submit after 20 minutes then your session timeout should at minimum be 20 minutes.

If you are not using sessions:

  1. When user requests a form (view) then store the current date and time in a hidden <input type=hidden> field within the returned view
  2. When user submits that form then read the current date and time from the input and compare it to current date and time. If too much time has passed then simply re-display the original view (with maybe some label or something that the user took too much time).
    Note: In general this is not a safest thing to do because the user can alter the date/time in the hidden field via browser tools but it might be good enough for you.
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

One issue with this method is what if the user changes the time on their device? For more secure submissions this could be actually an issue right?
@iamaaarianme With the second method the user can change the time within the document by using browser tools. However the initial and later retrieval of current date and time both happen on server. The current time of the users computer does not affect anything.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.