David,

There's a couple ways you can handle this one.

.NET 2.0 makes it very easy if you have the person "log in" to the system. HttpContext.Current.User.IsAuthenticated with evaluate "true" if they have been authenticated and have not timed out. Once they timeout, they'll be taken to the login page before being able to proceed. Unfortunately, all info that may be associated with that session would probably be lost.

I've also done a cookie in the past where I set the SessionID (you can also put this in a session variable if you want) and then when they "come back" to the server, check to see if the Session.SessionID currently on the server matches what's stored in the Cookie/Session Variable. If it is, they're still "OK"...if not, I send them to a function that clears out what's been set and redirects them to the "start over" page.

This solution relies on the session timeout settings for the website, so if you want to handle it programmatically, you'll probably want to look at a client-side Javascript solution, which is how I accomplished the scenario below:

If you want to alert the visitor that their session is about to timeout, it's more difficult. I've put together a javascript timer using the javascript setTimeout() function that after x minutes/seconds/hours an alert is popped up warning them they're about to expire. If they reach the end of the timer period, I do a javascript redirect to the login page.

setTimeout is the Javascript function to research.

I hope this helps get you on track.

Ric

Ric, thank you for the info about the IsAuthenticated boolean, I didn't know about that.
I have chosen the cookie way, but don't need to tell the user that the session is about to expire. So handling it on the server is fine.
And the points go to.... rcastagna.