FormsAuthentication doesn't automatically redirect upon timeout

[christine.nguyen]

I am using Forms Authentication under Windows Server 2003 in .NET
2.0. It appears that the auth ticket is expiring when it's supposed
to but it doesn't automatically redirect the user to the login page.
Here is some watered down sample code I had to put in the onLoad of my
page in order to properly redirect the user upon expiration of the
login. It appears that once the auth ticket is expired, the name of
the Identity is lost (which makes sense) and then I redirect the user.

protected override void OnLoad(EventArgs e)
string userName = HttpContext.Current.User.Identity.Name;
if(String.IsNullOrEmpty(userName)
Response.Redirect(redirectUrl);
}

My question is whether I really have to include such code in my page
to handle the the empty Identity name or should the framework be
redirecting on its own once the auth ticket has expired and the
identity name is empty?

Thanks,
Christine

 

[Coskun SUNALI [MVP]]

Hi Christine,

Normally, you don't have to implement the redirection by yourself.
Specifiying the login url should solve your problem. By doing that, the user
must be automatically redirected to the login page at his/her first request
to a secured path.

<forms name=".aspxlogin" loginUrl="~/Login.aspx" />



--
All the best,
Coskun SUNALI
MVP ASP/ASP.NET
http://sunali.com
http://www.propeople.dk

 

[christine.nguyen]

Hello,

I do specify the login url in web.config, but for whatever reason it
doesn't redirect upon timeout when a secured resource is accessed.
Instead it throws an exception when I try to access and use the value
in HttpContext.Current.User.Identity.Name (which is now empty). This
is why i put code into the onLoad in order to prevent the exception.
Is there a reason why it wouldn't redirect even though I have the
login url specified in web.config?


Thanks,
Christine

 

[Coskun SUNALI [MVP]]

Hi,

Yes. If you have a HttpModule that logs and then cleans the errors on the
server, ASP.NET doesn't redirect.

--
All the best,
Coskun SUNALI
MVP ASP/ASP.NET
http://sunali.com
http://www.propeople.dk

 

[Coskun SUNALI [MVP]]

Hi,

Sorry for my previous message. It has nothing to do with your problem.

Can you please attach a project in a zip file to reproduce the problem you
have.

I will try to correct it and send it back.

--
All the best,
Coskun SUNALI
MVP ASP/ASP.NET
http://sunali.com
http://www.propeople.dk

 

[Christine Nguyen]

I figured out what the problem is, I needed to add the following setting to
the web.config.

<authorization>
<deny users="?" />
</authorization>

Thanks for trying to help!
Christine

 

[Coskun SUNALI [MVP]]

Yes, ASP.NET needs to know if the visitor is authorized to view that path or
not. Glad that you found what was wrong.

--
All the best,
Coskun SUNALI
MVP ASP/ASP.NET
http://sunali.com
http://www.propeople.dk