Professional Web Applications Themes

Session expiration and authentication - ASP.NET Security

I'm using FormsAuthentication for an asp.net app. I would like the user to be re-authenticated (redirected to the login page) if there is not activity after a certain period of time. So I'm using Session.Timeout to set a timeout period, and on Session_End() I call FormsAuthentication.SignOut. My main problem is that after SignOut, the re-authentication does not occur - I can still access the pages of the app as if I'm still authenticated. Another interesting thing is that in Session_End I also called Session.Clear(), but when the page posts back it can still access the values that were previously stored ...

  1. #1

    Default Session expiration and authentication

    I'm using FormsAuthentication for an asp.net app. I would like the user to
    be re-authenticated (redirected to the login page) if there is not activity
    after a certain period of time. So I'm using Session.Timeout to set a
    timeout period, and on Session_End() I call FormsAuthentication.SignOut.

    My main problem is that after SignOut, the re-authentication does not
    occur - I can still access the pages of the app as if I'm still
    authenticated. Another interesting thing is that in Session_End I also
    called Session.Clear(), but when the page posts back it can still access the
    values that were previously stored in session variables. It's as if the
    session never expired and the variables did not get cleared. I have a
    breakpoint on Session_End, so I know that those functions are being called.

    I'm new to this, so I'm wondering what I might be doing wrong. I'd
    appreciate pointing me in the right direction, or to articles that go over
    this in more detail.

    Thanks


    Marcio Kleemann Guest

  2. #2

    Default RE: Session expiration and authentication

    When you clear the session state, validate that the count goes to 0. You may also need to call Session.Abandon() to completetly cancel the session.
    David Coe, MCP Guest

  3. #3

    Default Re: Session expiration and authentication

    Thanks for the suggestion. I think I have most everything working: if I use
    a "logout" button I clear the session and do a FormsAuthentication.Signout
    successfully (which forces the user back to the login page; if the timeout
    for the forms authentication (from web.config) lapses, then the user also
    gets sent back to the login page, where with some logic I can clear the
    session too.

    However, I still have a problem:

    When I trap Session_End(), I need to also call
    FormsAuthentication.SignOut(). This is because if a session ends before the
    forms authentication's own timeout out passes, I need to sign out to clear
    the authentication ticket. However, whenever I call .SignOut() from within
    Session_End, the function is not successful; that is, the user can continue
    working on the web site without being redirected back to the login page.
    Anywhere else that I call SignOut from other pages it seems to be OK, only
    from SessionEnd() (or would it be anywhere in global.asax?) it seems to not
    work.

    Any other ideas?

    "David Coe, MCP" <anonymousdiscussions.microsoft.com> wrote in message
    news:DC900F83-A53C-4E9C-B7C3-8068DC443F0Dmicrosoft.com...
    > When you clear the session state, validate that the count goes to 0. You
    may also need to call Session.Abandon() to completetly cancel the session.


    Marcio Kleemann Guest

Similar Threads

  1. Basic Forms Authentication Expiration ?
    By Brock Allen in forum ASP.NET Security
    Replies: 0
    Last Post: April 13th, 03:17 PM
  2. forms authentication ticket expiration problem
    By tparks69 in forum ASP.NET Security
    Replies: 2
    Last Post: February 17th, 08:11 PM
  3. session authentication for users
    By TG in forum ASP.NET Security
    Replies: 1
    Last Post: September 30th, 08:55 PM
  4. I want Forms Authentication only during session
    By Peter Royle in forum ASP.NET Security
    Replies: 2
    Last Post: December 5th, 03:18 PM
  5. Session with Forms authentication
    By Salim Afar in forum ASP.NET General
    Replies: 0
    Last Post: July 14th, 01:53 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139