How to expire a session

I don't know anything about ASP.NET but I know how to work with PHP.
Use Ajax, and you easily can solve it.
There would be a client/javascript code running on user's browser and It counts till 5 minutes, and after no activity in 5 minutes, you fire the XMLHttpRequest method/functions to call the ASP.NET code to close[expire] the session.

And all your code for any activity done on server-side should be checked against sessions.

That's all.
Good luck.

I'm using JSP. Can you please tell me how to expire a session in JSP?

you can try

<% session.invalidate() %>

To have it expired automatically, you need to configure the Application Server/Web Container properly.

Reading the session properly, and redirecting to a login page, is something you will have to do though.

The above command is the one the server will use, you can use it yourself, as well, but your classes will not be able to automatically expire the session, so it only makes sense for you to use the command in your code on logout, or after invalid actions (according to your application).

in fact, all sessions will expire automatically at the rate set in the server/web app configuration.

And while there are ways to do it manually, using timers and threads in the application, why would you want to essentially replicate functionality the server provides for you?

there are ways to do it manually, using timers and threads in the application

Correct, of course, I should have said

but it is not practical for your classes to automatically expire the session

instead of

but your classes will not be able to automatically expire the session

;-)

<META HTTP-EQUIV="Expires" CONTENT="0">

What do "Expires" & content stand here for?

Please reply.
Thank you.

A directive to the browser and/or proxy server not to hold a cached copy of the page. Nothing to do with a session.

Edit: Or, more correctly, that whatever cached copy they do hold is invalid as soon as they made it, and they should retrieve a fresh copy rather than using the cached copy.

Hey guys, thanks a lot.
But, one last question -
can i use - session.setMaxIntervalTime(5)
to expire my session.
The "5" in above line - does it stand for milliseconds, seconds or minutes?
Please reply.
Thank you for your replies.

What do the API docs say?

It says-
Specifies the time, in "seconds", between the client requests before the servlet container will invalidate the session.

Does this mean, if I pass "60" to setMaxInactiveInterval, the session will be "expired" in 1 minute if the browser remains inactive, and i'll have to login again?
(i've written this code in logout.jsp)

It means your session will be invalidated if more than 60 seconds go by between the last response and the next request.

How your application handles expired sessions depends on how you programmed it. And, if you have a "logout" page you should be invalidating the session manually there. You can still have a timeout (the maxInterval), but remember that this is general to the eintire application, not a specific page or two.

Can please tell me more about timeout?
Thank you.