Professional Web Applications Themes

Question about redirecting to a "session expired" page... - ASP.NET

This may sound trivial but I cannot figure out how to do this... When a logged in user's session expires, I want that user redirected back to the login page with a label that says "session expired". Sounds easy, eh? First, am I correct in assuming that a session is totally separate from the "AuthCookie" that gets set when you use the FormsAuthentication class? They have nothing to do with each other, right? So, if my IIS application is set to expire Sessions every 20 minutes, that has no affect on the AuthCookie that I set to timeout every 18 ...

  1. #1

    Default Question about redirecting to a "session expired" page...

    This may sound trivial but I cannot figure out how to do this...
    When a logged in user's session expires, I want that user redirected back to
    the login page with a label that says "session expired". Sounds easy, eh?

    First, am I correct in assuming that a session is totally separate from the
    "AuthCookie" that gets set when you use the FormsAuthentication class? They
    have nothing to do with each other, right? So, if my IIS application is set
    to expire Sessions every 20 minutes, that has no affect on the AuthCookie
    that I set to timeout every 18 minutes and vice-versa.

    I just started playing around with <authentication> in my web application.
    I had simply been using Session variables to track the session of a logged
    in user with the following code that I would put at the top of each page. I
    had to use try/catch because, if the session had expired, it would throw an
    exception while trying to print the name. If the exception occured, that
    means the session expired and it would redirect back to the login page. The
    login page tests for the "j=session_timedout" in the querystring and will
    display "Sorry, your session timed out!". No problem.

    try {
    lblSessionName.Text = Session["name"].ToString();
    }
    catch (Exception exp) {
    Response.Redirect("login.aspx?j=session_timedout") ;
    }

    But I just started REALLY playing around with the built-in authentication
    that .net has and I think its much nicer than what I was trying to do. I
    have it now using Forms based authentication (web.config):

    <authentication mode="Forms">
    <forms loginUrl="/login.aspx" name=".FORMSAUTH" path="/"
    protection="All" timeout="18" slidingExpiration="true" />
    </authentication>

    <authorization>
    <deny users="?" />
    </authorization>

    It validates users against Active Directory by trying to pass the username
    and password found in the login.aspx form to a DirectoryEntry object. If it
    succeeds, it calls:

    FormsAuthentication.RedirectFromLoginPage(strUsern ame,false);

    After 18 minutes have passed with no activity, the cookie expires and the
    user tries to click on a link, it redirects to the login page. All that
    works fine. The problem is I don't know how to test the AuthCookie for
    expiration. In the login.aspx page, I need to somehow test to see whether
    the user was directed here because of a session timeout (actually the
    AuthCookie expired). Previously, I had simply been testing the querystring
    for "j=session_timedout". But now I can't do that since the redirection
    happens automatically when the AuthCookie expires. I've tried testing the
    AuthCookie for expiration with its "Expire" property:

    FormsIdentity fiAuthTicket =
    (FormsIdentity)HttpContext.Current.User.Identity;
    FormsAuthenticationTicket fatAuthTicket = fiAuthTicket.Ticket;

    if (fatAuthTicket.Expired) {
    lblLoginError.Text = "Your session has timed out. Please log in
    again!";
    lblLoginError.Visible = true;
    }

    but the problem there is that, if the AuthCookie has expired, the
    User.Identity seems to be set to null because I get an error with:

    FormsIdentity fiAuthTicket =
    (FormsIdentity)HttpContext.Current.User.Identity;

    So that fails and it never prints out "Your session has timed out...".

    It shouldn't be that hard to do but I can't figure out how to do it. Any
    help is appreciated.



    John Smith Guest

  2. #2

    Default Re: Question about redirecting to a "session expired" page...

    You need to get the authticket directly and check it's expired property.

    HttpCookie authCookie =
    Context.Request.Cookies(FormsAuthentication.FormsC ookieName)
    FormsAuthenticationTicket authTicket =
    FormsAuthentication.Decrypt(authCookie.Value)
    if (authTicket.Expired)
    {
    'do your thing.
    }

    I think that works... I pulled it from a more complicated piece of code
    and didn't test it, but I think you can see that with an expired
    authTicket you would not get a non-anonymous User.Identity populated.


    John Smith wrote:
    > This may sound trivial but I cannot figure out how to do this...
    > When a logged in user's session expires, I want that user redirected back to
    > the login page with a label that says "session expired". Sounds easy, eh?
    >
    > First, am I correct in assuming that a session is totally separate from the
    > "AuthCookie" that gets set when you use the FormsAuthentication class? They
    > have nothing to do with each other, right? So, if my IIS application is set
    > to expire Sessions every 20 minutes, that has no affect on the AuthCookie
    > that I set to timeout every 18 minutes and vice-versa.
    >
    > I just started playing around with <authentication> in my web application.
    > I had simply been using Session variables to track the session of a logged
    > in user with the following code that I would put at the top of each page. I
    > had to use try/catch because, if the session had expired, it would throw an
    > exception while trying to print the name. If the exception occured, that
    > means the session expired and it would redirect back to the login page. The
    > login page tests for the "j=session_timedout" in the querystring and will
    > display "Sorry, your session timed out!". No problem.
    >
    > try {
    > lblSessionName.Text = Session["name"].ToString();
    > }
    > catch (Exception exp) {
    > Response.Redirect("login.aspx?j=session_timedout") ;
    > }
    >
    > But I just started REALLY playing around with the built-in authentication
    > that .net has and I think its much nicer than what I was trying to do. I
    > have it now using Forms based authentication (web.config):
    >
    > <authentication mode="Forms">
    > <forms loginUrl="/login.aspx" name=".FORMSAUTH" path="/"
    > protection="All" timeout="18" slidingExpiration="true" />
    > </authentication>
    >
    > <authorization>
    > <deny users="?" />
    > </authorization>
    >
    > It validates users against Active Directory by trying to pass the username
    > and password found in the login.aspx form to a DirectoryEntry object. If it
    > succeeds, it calls:
    >
    > FormsAuthentication.RedirectFromLoginPage(strUsern ame,false);
    >
    > After 18 minutes have passed with no activity, the cookie expires and the
    > user tries to click on a link, it redirects to the login page. All that
    > works fine. The problem is I don't know how to test the AuthCookie for
    > expiration. In the login.aspx page, I need to somehow test to see whether
    > the user was directed here because of a session timeout (actually the
    > AuthCookie expired). Previously, I had simply been testing the querystring
    > for "j=session_timedout". But now I can't do that since the redirection
    > happens automatically when the AuthCookie expires. I've tried testing the
    > AuthCookie for expiration with its "Expire" property:
    >
    > FormsIdentity fiAuthTicket =
    > (FormsIdentity)HttpContext.Current.User.Identity;
    > FormsAuthenticationTicket fatAuthTicket = fiAuthTicket.Ticket;
    >
    > if (fatAuthTicket.Expired) {
    > lblLoginError.Text = "Your session has timed out. Please log in
    > again!";
    > lblLoginError.Visible = true;
    > }
    >
    > but the problem there is that, if the AuthCookie has expired, the
    > User.Identity seems to be set to null because I get an error with:
    >
    > FormsIdentity fiAuthTicket =
    > (FormsIdentity)HttpContext.Current.User.Identity;
    >
    > So that fails and it never prints out "Your session has timed out...".
    >
    > It shouldn't be that hard to do but I can't figure out how to do it. Any
    > help is appreciated.
    >
    >
    >
    Joseph E Shook [MVP - ADSI] Guest

  3. #3

    Default Re: Question about redirecting to a "session expired" page...

    I think that did the trick! You rock dude! Thanks.

    Final code:
    // why are we here? session timeout? user clicked logout? or new
    session?

    // if auth expiration (ie session timeout)...
    // get auth ticket info if it exists

    try {
    HttpCookie authCookie =
    Request.Cookies[FormsAuthentication.FormsCookieName];
    FormsAuthenticationTicket authTicket =
    FormsAuthentication.Decrypt(authCookie.Value);

    if (authTicket.Expired) {
    Response.Write("Session Timedout");
    lblLoginError.Text = "Your session has timed out. Please log in again!";
    lblLoginError.Visible = true;
    }
    }
    catch (Exception exp) {
    // auth ticket probably didn't exist which means this is NOT a session
    timeout..ignore
    }

    // did user click logout?

    if (Request.QueryString.ToString().IndexOf("logout") >= 0) {

    // remove all session items and the auth ticket
    Session.RemoveAll();
    FormsAuthentication.SignOut();

    lblLoginError.Text = "You have been logged out at your request!";
    lblLoginError.Visible = true;
    }


    "Joseph E Shook [MVP - ADSI]" <joeshookdeploymentCentric.com> wrote in
    message news:40AC74E1.4010303deploymentCentric.com...
    > You need to get the authticket directly and check it's expired property.
    >
    > HttpCookie authCookie =
    > Context.Request.Cookies(FormsAuthentication.FormsC ookieName)
    > FormsAuthenticationTicket authTicket =
    > FormsAuthentication.Decrypt(authCookie.Value)
    > if (authTicket.Expired)
    > {
    > 'do your thing.
    > }
    >
    > I think that works... I pulled it from a more complicated piece of code
    > and didn't test it, but I think you can see that with an expired
    > authTicket you would not get a non-anonymous User.Identity populated.
    >
    >
    > John Smith wrote:
    >
    > > This may sound trivial but I cannot figure out how to do this...
    > > When a logged in user's session expires, I want that user redirected
    back to
    > > the login page with a label that says "session expired". Sounds easy,
    eh?
    > >
    > > First, am I correct in assuming that a session is totally separate from
    the
    > > "AuthCookie" that gets set when you use the FormsAuthentication class?
    They
    > > have nothing to do with each other, right? So, if my IIS application is
    set
    > > to expire Sessions every 20 minutes, that has no affect on the
    AuthCookie
    > > that I set to timeout every 18 minutes and vice-versa.
    > >
    > > I just started playing around with <authentication> in my web
    application.
    > > I had simply been using Session variables to track the session of a
    logged
    > > in user with the following code that I would put at the top of each
    page. I
    > > had to use try/catch because, if the session had expired, it would throw
    an
    > > exception while trying to print the name. If the exception occured,
    that
    > > means the session expired and it would redirect back to the login page.
    The
    > > login page tests for the "j=session_timedout" in the querystring and
    will
    > > display "Sorry, your session timed out!". No problem.
    > >
    > > try {
    > > lblSessionName.Text = Session["name"].ToString();
    > > }
    > > catch (Exception exp) {
    > > Response.Redirect("login.aspx?j=session_timedout") ;
    > > }
    > >
    > > But I just started REALLY playing around with the built-in
    authentication
    > > that .net has and I think its much nicer than what I was trying to do.
    I
    > > have it now using Forms based authentication (web.config):
    > >
    > > <authentication mode="Forms">
    > > <forms loginUrl="/login.aspx" name=".FORMSAUTH" path="/"
    > > protection="All" timeout="18" slidingExpiration="true" />
    > > </authentication>
    > >
    > > <authorization>
    > > <deny users="?" />
    > > </authorization>
    > >
    > > It validates users against Active Directory by trying to pass the
    username
    > > and password found in the login.aspx form to a DirectoryEntry object.
    If it
    > > succeeds, it calls:
    > >
    > > FormsAuthentication.RedirectFromLoginPage(strUsern ame,false);
    > >
    > > After 18 minutes have passed with no activity, the cookie expires and
    the
    > > user tries to click on a link, it redirects to the login page. All that
    > > works fine. The problem is I don't know how to test the AuthCookie for
    > > expiration. In the login.aspx page, I need to somehow test to see
    whether
    > > the user was directed here because of a session timeout (actually the
    > > AuthCookie expired). Previously, I had simply been testing the
    querystring
    > > for "j=session_timedout". But now I can't do that since the redirection
    > > happens automatically when the AuthCookie expires. I've tried testing
    the
    > > AuthCookie for expiration with its "Expire" property:
    > >
    > > FormsIdentity fiAuthTicket =
    > > (FormsIdentity)HttpContext.Current.User.Identity;
    > > FormsAuthenticationTicket fatAuthTicket = fiAuthTicket.Ticket;
    > >
    > > if (fatAuthTicket.Expired) {
    > > lblLoginError.Text = "Your session has timed out. Please log in
    > > again!";
    > > lblLoginError.Visible = true;
    > > }
    > >
    > > but the problem there is that, if the AuthCookie has expired, the
    > > User.Identity seems to be set to null because I get an error with:
    > >
    > > FormsIdentity fiAuthTicket =
    > > (FormsIdentity)HttpContext.Current.User.Identity;
    > >
    > > So that fails and it never prints out "Your session has timed out...".
    > >
    > > It shouldn't be that hard to do but I can't figure out how to do it.
    Any
    > > help is appreciated.
    > >
    > >
    > >

    John Smith Guest

Similar Threads

  1. "Page" and "Rect" props of the Field prop in Javascript API
    By ArtIn_Act@adobeforums.com in forum Adobe Acrobat SDK
    Replies: 8
    Last Post: March 19th, 05:35 PM
  2. Replies: 1
    Last Post: August 13th, 01:55 AM
  3. Avoid "page has expired" message
    By Victor Gil in forum PHP Development
    Replies: 4
    Last Post: April 22nd, 05:27 PM
  4. Question: How can I "expire" a web page (prevent BACK button)
    By VB Programmer in forum ASP.NET General
    Replies: 12
    Last Post: August 5th, 11:30 AM
  5. Session Expired (sessionState mode="SQLServer")
    By TSelvan in forum ASP.NET General
    Replies: 1
    Last Post: July 30th, 05:13 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139