Ask a Question related to ASP.NET Security, Design and Development.
-
Marcio Kleemann #1
Session expiration and authentication
I'm using FormsAuthentication for an asp.net app. I would like the user to
be re-authenticated (redirected to the login page) if there is not activity
after a certain period of time. So I'm using Session.Timeout to set a
timeout period, and on Session_End() I call FormsAuthentication.SignOut.
My main problem is that after SignOut, the re-authentication does not
occur - I can still access the pages of the app as if I'm still
authenticated. Another interesting thing is that in Session_End I also
called Session.Clear(), but when the page posts back it can still access the
values that were previously stored in session variables. It's as if the
session never expired and the variables did not get cleared. I have a
breakpoint on Session_End, so I know that those functions are being called.
I'm new to this, so I'm wondering what I might be doing wrong. I'd
appreciate pointing me in the right direction, or to articles that go over
this in more detail.
Thanks
Marcio Kleemann Guest
-
Basic Forms Authentication Expiration ?
Yes. When the user is authenticated with FormsAuthentcation.RedirectFromLoginPage or with FormsAuthentication.SetAuthCookie, pass false to the... -
forms authentication ticket expiration problem
I have set up forms based authentication according to the KB article (http://support.microsoft.com/kb/308157/EN-US/) using the... -
session authentication for users
Hi, I need to know the best way to program a login page that will only authenticate users when they click the login button at the top of our... -
I want Forms Authentication only during session
Hello out there, I am building an ASP.NET app that uses Forms authentication (as that seems the simplest way to do it). It works fine "out of the... -
Session with Forms authentication
Hi, I use Forms Authentication type in my project.When I start my app. in the browser it works well.First it redirects the login page and after I... -
David Coe, MCP #2 RE: Session expiration and authentication
When you clear the session state, validate that the count goes to 0. You may also need to call Session.Abandon() to completetly cancel the session.
David Coe, MCP Guest
-
Marcio Kleemann #3 Re: Session expiration and authentication
Thanks for the suggestion. I think I have most everything working: if I use
a "logout" button I clear the session and do a FormsAuthentication.Signout
successfully (which forces the user back to the login page; if the timeout
for the forms authentication (from web.config) lapses, then the user also
gets sent back to the login page, where with some logic I can clear the
session too.
However, I still have a problem:
When I trap Session_End(), I need to also call
FormsAuthentication.SignOut(). This is because if a session ends before the
forms authentication's own timeout out passes, I need to sign out to clear
the authentication ticket. However, whenever I call .SignOut() from within
Session_End, the function is not successful; that is, the user can continue
working on the web site without being redirected back to the login page.
Anywhere else that I call SignOut from other pages it seems to be OK, only
from SessionEnd() (or would it be anywhere in global.asax?) it seems to not
work.
Any other ideas?
"David Coe, MCP" <anonymous@discussions.microsoft.com> wrote in message
news:DC900F83-A53C-4E9C-B7C3-8068DC443F0D@microsoft.com...may also need to call Session.Abandon() to completetly cancel the session.> When you clear the session state, validate that the count goes to 0. You
Marcio Kleemann Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
