dynamic session timeout

Can I change the session timeout dynamically? The timeout must be set according to the user role. I tried to use co开发者_JS百科nfigure::write to change the timeout dynamically but it doesn't work. it seems that for the new session timeout to take efect, you have to reset the session, but resetting the session will loss the login info.

I think using something like the following after you check role membership will get you what you want.

HttpContext.Current.Session.Timeout = 1200;

I think you are right when saying you can't change the session timeout after it has been created, maybe you could look at regenerating one with a new timeout.

But maybe a more easy solution would be to use javascript, you could set a timeout value and when it runs out send an ajax request logging the user out. This obviously won't work if a user disables javascript but it depends on how secure you want this to be.

Rather than changing the session timeout, have you considered using a variable in the session to store the date/time of the last pageload, so that you can check it on the next pageload?

You could add some code to the beforeFilter() method in AppController to calculate the amount of time elapsed between the last pageload (stored in the session) and now, and if this is greater than the session length for your specified user role, destroy the session. If not, store the current date/time in the session, so that it can be used next time.