Session State Timeout

How to force timeouts in a Sharepoint intranet site when using Windows Authentication

How to force timeouts in a Sharepoint intranet site when using Windows Authentication


Security for my sharepoint web site depends on windows authentication. Our workstations are members of the authenticating domain; our users log in to the domain when they access their workstation. The sharepoint web server is also a member of the same domain.

One reason I’m blogging this is because I hope to get any misunderstandings I have cleared up by good comments.

I was not able to find any setting – either in iis, web.config, any sharepoint site setting, etc that would force a timeout when you use windows authentication. I found posts recommending that people use forms authentication if they really wanted to enforce timeouts.


So, why would anybody want timeouts if they are already secured by windows authentication? I think it’s something like the distinction between security and security theater.

We had had a problem where our users put up a number of Microsoft office documents, and then each time they attempted to open a doc, they got a windows authentication challenge. Then after they eliminated those by putting the sharepoint site into their IE “local intranet sites” group, they never had to log in again. That made them feel uneasy – like the site was wide open to the world. (and they had also themselves specifically permitted a huge group of 10,000 users to access the site without realizing what they had done.) So I wanted to make the site “feel” more secure by issuing some challenges after a timeout period.

Here’s how I did it, in C# script in my masterpage:

1) Modify Web.config on the server to allow server side scripting in your master page

Got to – C:InetpubwwwrootwssVirtualDirectories80web.config

Change the path to your master page to match your own site:


<PageParserPath VirtualPath=”/sites/OIT/_catalogs/masterpage/*” IncludeSubFolders=”true” CompilationMode=”Always” AllowServerSideScript=”true” />

<PageParserPath VirtualPath=”/sites/Banner/_catalogs/masterpage/*” IncludeSubFolders=”true” CompilationMode=”Always” AllowServerSideScript=”true” />



2) Copy the following c# code to maintain a session variable with the time of the last sign in. Basically, what it does is create a session variable to hold the last time you used the web site, since the master page is executed for each page that you access. You set the timeout in the script. If your user leaves her desk for 33 minutes, for example, and then comes back and clicks on something, the master page will refresh, and the timeout code will see that the session should expire, and I send the user over to a page which forces her to login again.

<script language=”C#” runat=”server”>


// ********************************************************************************

// CONFIGS – not using web.config, using these lines

// ********************************************************************************

Boolean bDebugOn = false; // control Response.Write

Boolean bExecuteAspLoginScript = true; // in my vstudio test project, I don’t have the page

int TimeOutSeconds = 1800; // 30 minutes


protected void Page_Load(object sender, EventArgs e)





// ********************************************************************************

// purpose – check the last time

protected void Handle_CheckSessionForTimeout()


String strSession = System.Web.HttpContext.Current.Session[“SignIn”] + “”;

if (bDebugOn) Response.Write(“Session Value of SignIn Time:” + strSession);

if (bDebugOn) Response.Write(“<br>Current Time:” + DateTime.Now.ToLongTimeString());


if (strSession == “”)


System.Web.HttpContext.Current.Session[“SignIn”] = DateTime.Now.ToLongTimeString();

Force_A_New_SignIn(); // force login for new session




// check the time, if it’s too long, force a sign in



DateTime tmSessionPlusTimeout = DateTime.Parse(strSession);

tmSessionPlusTimeout = tmSessionPlusTimeout.AddSeconds(TimeOutSeconds);

if (bDebugOn) Response.Write(“<br>Session plus TimeOutSeconds:” + tmSessionPlusTimeout.ToLongTimeString());

DateTime tmNow = DateTime.Now;


if (tmNow.CompareTo(tmSessionPlusTimeout) > 0)


if (bDebugOn) Response.Write(“<br>timeout expired ********************”);


// set session variable so after a successful login they are permitted

System.Web.HttpContext.Current.Session[“SignIn”] = DateTime.Now.ToLongTimeString();





if (bDebugOn) Response.Write(“<br>timeout did not expire:” + tmSessionPlusTimeout.ToLongTimeString());



catch (Exception ex)


if (bDebugOn) Response.Write(ex.Message);

System.Web.HttpContext.Current.Session[“SignIn”] = DateTime.Now.ToLongTimeString();




// ********************************************************************************

protected void Force_A_New_SignIn()



if (bDebugOn) Response.Write(“<br>Force_A_New_SignIn ************************************”);

// set it so next time they get to come in

System.Web.HttpContext.Current.Session[“SignIn”] = DateTime.Now.ToLongTimeString();

if (bExecuteAspLoginScript)






if (bDebugOn) Response.Write(“<br>TEST MODE – DON’T EXECUTE THE ASPX PAGE “);









1.The config file of the Central Administration site.

2.The config file of the Web Application.

3.The config file of the STS (SecurityTokenService) Application. This is important because it is this service that will ensure claims tokens are being passed correctly between the provider (in our case AD) and the consumer (CA and our Web Application). Further, we can have multiple providers plugged in. STS Application manages all of these interaction for us.



<add name=”adconn”

connectionString=”LDAP://” />


<membership defaultProvider=”admembers”>


<add name=”admembers”

type=”System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a”



attributeMapUsername=”sAMAccountName” />




<add name=”AspNetSqlMembershipProvider” connectionString=”data source=[Server Name];Integrated Security=SSPI;Initial Catalog=aspnetdb”


providerName=”System.Data.SqlClient” />

master page

1. remove “I liketag”

CA–>System settings –> manage farm feature

2. remove “search/Help”

<td valign=”middle” class=”ms-globallinks”>&nbsp;

<a href=”javascript:TopHelpButtonClick(‘NavBarHelpHome’)” AccessKey=”<%$Resources:wss,multipages_helplink_accesskey%>” id=”TopHelpLink” title=”<%$Resources:wss,multipages_helplinkalt_text%>” runat=”server”><img align=’absmiddle’ border=0 src=”/_layouts/images/helpicon.gif” alt=”<%$Resources:wss,multipages_helplinkalt_text%>” runat=”server”></a>




site backup with date formate

$date = Get-Date

$path = “c:\IR\45_1133” + [string]::Concat($date.Day, “_”, $date.Month, “_”, $date.Year,”_”,$Date.Hour,”_”,$Date.Minute,”_”,$Date.Second) + “.bak”

Backup-SPSite “http://spserver:1133/&#8221; -path $path -Force


enable session state services


Ensured the “State Service” service application is running.

Added the System.Web.SessionState.SessionStateModule http module to my application’s web.config file.

Added the System.Web.SessionState.SessionStateModule http module to my SharePoint root web.config file.

Added <pages enableSessionState=”true” /> to my application’s web.config file.

Added <pages enableSessionState=”true” /> to my root web.config file.

reference site


Remove Personalize this page


Sol: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\TEMPLATE\CONTROLTEMPLATES \welcome.ascx

How to remove “My Settings” and “Personalize this page” menu items from the “Welcome” menu

You will sometimes want to hide certain menu items from the “Welcome” menu in the SharePoint site.
You can do the following:
1. Go to the following folder at the MOSS server:C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\CONTROLTEMPLATES
2. Open file Welcome.ascx in the editor
3. There are more elements. For all those you don’t want to display to the users, add the attribute:Visible=”False”
For example:


Visible=”False” />


MOSS Hide Site Actions

Add this code around

<PublishingSiteAction:SiteActionMenu runat=”server”/> in the master page <SharePoint:SPSecurityTrimmedControl ID=”SPSecurityTrimmedControl2″ runat=”server” PermissionsString=”ManageWeb”> <PublishingSiteAction:SiteActionMenu runat=”server”/> </SharePoint:SPSecurityTrimmedControl>



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s