A co-worker of mine recently discovered an interesting session timeout issue in one of the MVC application he is developing. In the application, he used the Meta Refresh tag to redirect to a Sign Out page which destroys the session state and authentication cookies. He noticed that sometimes it just would not work. If you have a browser with only one tab, it worked most of the time. Multiple tabs seemed to increase the possibility of it not doing anything.
<head runat="server"> <meta http-equiv="Refresh" content="1140;url=/Authentication.mvc/SignOut" /> </head>
He was a bit surprised when researching this to find out that apparently using Meta Refresh to expire session state is discouraged:
As a test, He added the following delayed function to the $(document).ready JQuery function (sort of similar to the Body OnLoad event, except that it fires after all loading is complete):
$(document).ready(function () { setTimeout(function () { var $viewDialog = $('<div></div>') .html('Session has exceeded inactivity timeout. <br />Redirecting you to the logon page.') .dialog({ autoOpen: false, title: 'Session timed out.' }); $viewDialog.dialog('open').delay(15000).fadeOut(function () { $(this).dialog('close') }); "document.location='https://application.domain.url/Authentication.mvc/SignOut';" }, 1100 * 1000); });
The nice thing about this function is that before redirecting, it displays a dialog for a few seconds just in case the end-user notices what is happening. After making this change, the pages seem to timeout and redirect to the Sign Out page much more reliably.