Identify FormsAuthentication Timeout

Discussion in 'ASP .Net Security' started by Chuck, Jun 3, 2009.

  1. Chuck

    Chuck Guest

    I have a forms authentication website that has a page where users spend a lot
    of time on. So somebody spends an hour on the page and then presses submit
    and gets redirected to the logon page. Followed by a redirect back to where
    they were minus all the data they typed in.

    Is their a way to handle time outs without loosing data on the redirect.
    Maybe popup a logon page versus a redirect or something.
     
    Chuck, Jun 3, 2009
    #1
    1. Advertising

  2. On Jun 3, 5:17 pm, Chuck <> wrote:
    > I have a forms authentication website that has a page where users spend alot
    > of time on.  So somebody spends an hour on the page and then presses submit
    > and gets redirected to the logon page.  Followed by a redirect back to where
    > they were minus all the data they typed in.
    >
    > Is their a way to handle time outs without loosing data on the redirect.
    > Maybe popup a logon page versus a redirect or something.


    Hi Chuck

    you can try to prevent the timeout by placing an iframe in the page
    that hits another page. See:

    http://www.codeproject.com/KB/session/Session_Defibrillator.aspx

    Another approach is to add js with timeout which is less then the
    ASP.NET timeout

    http://jeremywadsworth.com/Default.aspx?blogentryid=41

    Hope this helps
     
    Alexey Smirnov, Jun 3, 2009
    #2
    1. Advertising

  3. Chuck

    Chuck Guest

    Thanks,
    Interesting technique, but I can't use it. The users credentials are
    security sensitive so we do need to have authentication deactivated after the
    timeout period expires.


    "Alexey Smirnov" wrote:

    > On Jun 3, 5:17 pm, Chuck <> wrote:
    > > I have a forms authentication website that has a page where users spend a lot
    > > of time on. So somebody spends an hour on the page and then presses submit
    > > and gets redirected to the logon page. Followed by a redirect back to where
    > > they were minus all the data they typed in.
    > >
    > > Is their a way to handle time outs without loosing data on the redirect.
    > > Maybe popup a logon page versus a redirect or something.

    >
    > Hi Chuck
    >
    > you can try to prevent the timeout by placing an iframe in the page
    > that hits another page. See:
    >
    > http://www.codeproject.com/KB/session/Session_Defibrillator.aspx
    >
    > Another approach is to add js with timeout which is less then the
    > ASP.NET timeout
    >
    > http://jeremywadsworth.com/Default.aspx?blogentryid=41
    >
    > Hope this helps
    >
     
    Chuck, Jun 3, 2009
    #3
  4. Chuck

    Joe Kaplan Guest

    The better thing to do here is to design the app so that it can easily
    handle holding data that is in an intermediate state of completion (not yet
    "submitted") and provide code that allows features like auto save to work
    and to make the current transaction "GET friendly" so that if the user is
    redirected away from the page they've been working on and then redirected
    back, they are returned to their in process transaction with the data as it
    was last saved either through some sort of auto save feature or via a user
    interaction.

    You can also make it such that the forms auth does not time out at all (or
    takes a very long time to), but that may not be desirable from a security
    perspective.

    Obviously there is some significant rework involved to make the app behave
    like this.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "Chuck" <> wrote in message
    news:...
    > Thanks,
    > Interesting technique, but I can't use it. The users credentials are
    > security sensitive so we do need to have authentication deactivated after
    > the
    > timeout period expires.
    >
    >
    > "Alexey Smirnov" wrote:
    >
    >> On Jun 3, 5:17 pm, Chuck <> wrote:
    >> > I have a forms authentication website that has a page where users spend
    >> > a lot
    >> > of time on. So somebody spends an hour on the page and then presses
    >> > submit
    >> > and gets redirected to the logon page. Followed by a redirect back to
    >> > where
    >> > they were minus all the data they typed in.
    >> >
    >> > Is their a way to handle time outs without loosing data on the
    >> > redirect.
    >> > Maybe popup a logon page versus a redirect or something.

    >>
    >> Hi Chuck
    >>
    >> you can try to prevent the timeout by placing an iframe in the page
    >> that hits another page. See:
    >>
    >> http://www.codeproject.com/KB/session/Session_Defibrillator.aspx
    >>
    >> Another approach is to add js with timeout which is less then the
    >> ASP.NET timeout
    >>
    >> http://jeremywadsworth.com/Default.aspx?blogentryid=41
    >>
    >> Hope this helps
    >>
     
    Joe Kaplan, Jun 3, 2009
    #4
  5. Chuck

    Chuck Guest

    Thanks,
    Can't really redesign the application. I have a heavily customized
    FormsAuthetication provider. I would rather just customize it so that
    regardless of the application using FormsAuthentication, the current page
    data would not be lost.

    I was thinking of adding somesort of check in EndRequest that would inject a
    client script to create a javascript newwindow that is actually the login
    page. In EndRequest if you check for
    HttpContext.Current.Response.StatusCode == 302
    &&
    HttpContext.Current.Response.RedirectLocation.ToUpper().StartsWith(FormsAuthentication.LoginUrl.ToUpper()))
    Then you know your being redirected by forms authentication.


    Having some trouble with that so far.

    "Joe Kaplan" wrote:

    > The better thing to do here is to design the app so that it can easily
    > handle holding data that is in an intermediate state of completion (not yet
    > "submitted") and provide code that allows features like auto save to work
    > and to make the current transaction "GET friendly" so that if the user is
    > redirected away from the page they've been working on and then redirected
    > back, they are returned to their in process transaction with the data as it
    > was last saved either through some sort of auto save feature or via a user
    > interaction.
    >
    > You can also make it such that the forms auth does not time out at all (or
    > takes a very long time to), but that may not be desirable from a security
    > perspective.
    >
    > Obviously there is some significant rework involved to make the app behave
    > like this.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > "Chuck" <> wrote in message
    > news:...
    > > Thanks,
    > > Interesting technique, but I can't use it. The users credentials are
    > > security sensitive so we do need to have authentication deactivated after
    > > the
    > > timeout period expires.
    > >
    > >
    > > "Alexey Smirnov" wrote:
    > >
    > >> On Jun 3, 5:17 pm, Chuck <> wrote:
    > >> > I have a forms authentication website that has a page where users spend
    > >> > a lot
    > >> > of time on. So somebody spends an hour on the page and then presses
    > >> > submit
    > >> > and gets redirected to the logon page. Followed by a redirect back to
    > >> > where
    > >> > they were minus all the data they typed in.
    > >> >
    > >> > Is their a way to handle time outs without loosing data on the
    > >> > redirect.
    > >> > Maybe popup a logon page versus a redirect or something.
    > >>
    > >> Hi Chuck
    > >>
    > >> you can try to prevent the timeout by placing an iframe in the page
    > >> that hits another page. See:
    > >>
    > >> http://www.codeproject.com/KB/session/Session_Defibrillator.aspx
    > >>
    > >> Another approach is to add js with timeout which is less then the
    > >> ASP.NET timeout
    > >>
    > >> http://jeremywadsworth.com/Default.aspx?blogentryid=41
    > >>
    > >> Hope this helps
    > >>

    >
    >
     
    Chuck, Jun 3, 2009
    #5
  6. On Jun 4, 12:14 am, Chuck <> wrote:
    > Thanks,
    > Can't really redesign the application.  I have a heavily customized
    > FormsAuthetication provider.  I would rather just customize it so that
    > regardless of the application using FormsAuthentication, the current page
    > data would not be lost.
    >
    > I was thinking of adding somesort of check in EndRequest that would inject a
    > client script to create a javascript newwindow that is actually the login
    > page.  In EndRequest  if you check for  
    > HttpContext.Current.Response.StatusCode == 302
    >              &&
    > HttpContext.Current.Response.RedirectLocation.ToUpper().StartsWith(FormsAut hentication.LoginUrl.ToUpper()))
    > Then you know your being redirected by forms authentication.
    >
    >   Having some trouble with that so far.
    >
    > "Joe Kaplan" wrote:
    > > The better thing to do here is to design the app so that it can easily
    > > handle holding data that is in an intermediate state of completion (notyet
    > > "submitted") and provide code that allows features like auto save to work
    > > and to make the current transaction "GET friendly" so that if the user is
    > > redirected away from the page they've been working on and then redirected
    > > back, they are returned to their in process transaction with the data as it
    > > was last saved either through some sort of auto save feature or via a user
    > > interaction.

    >
    > > You can also make it such that the forms auth does not time out at all (or
    > > takes a very long time to), but that may not be desirable from a security
    > > perspective.

    >
    > > Obviously there is some significant rework involved to make the app behave
    > > like this.

    >
    > > --
    > > Joe Kaplan-MS MVP Directory Services Programming
    > > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > >http://www.directoryprogramming.net
    > > "Chuck" <> wrote in message
    > >news:...
    > > > Thanks,
    > > > Interesting technique, but I can't use it.  The users credentials are
    > > > security sensitive so we do need to have authentication deactivated after
    > > > the
    > > > timeout period expires.

    >
    > > > "Alexey Smirnov" wrote:

    >
    > > >> On Jun 3, 5:17 pm, Chuck <> wrote:
    > > >> > I have a forms authentication website that has a page where users spend
    > > >> > a lot
    > > >> > of time on.  So somebody spends an hour on the page and then presses
    > > >> > submit
    > > >> > and gets redirected to the logon page.  Followed by a redirect back to
    > > >> > where
    > > >> > they were minus all the data they typed in.

    >
    > > >> > Is their a way to handle time outs without loosing data on the
    > > >> > redirect.
    > > >> > Maybe popup a logon page versus a redirect or something.

    >
    > > >> Hi Chuck

    >
    > > >> you can try to prevent the timeout by placing an iframe in the page
    > > >> that hits another page. See:

    >
    > > >>http://www.codeproject.com/KB/session/Session_Defibrillator.aspx

    >
    > > >> Another approach is to add js with timeout which is less then the
    > > >> ASP.NET timeout

    >
    > > >>http://jeremywadsworth.com/Default.aspx?blogentryid=41

    >
    > > >> Hope this helps


    I think that "auto save" can be easily done without major changes in
    the application. It can be implemented using javascript and its
    setTimeOut function that can be executed after certain period of time
    (e.g. every 1 minute) and keep the form data stored as a draft... The
    only thing that need to be changed is an initial load of the form
    where you would need to check if there is any draft or not.
     
    Alexey Smirnov, Jun 4, 2009
    #6
  7. Chuck

    Chuck Guest

    Would have to be an unattended autosave, incase the user is away from the desk.
    Also would have to change the logic of the save to not require required
    fields before saving. Which involve removing constraints from the database
    or changing to some sort of temporary data storage. Not trivial or even a
    good idea IMHO.
     
    Chuck, Jun 4, 2009
    #7
  8. Chuck

    Joe Kaplan Guest

    Probably your best best is to change the forms auth ticket so that it
    doesn't expire or takes a very long time to expire. Your app is not well
    designed to deal with a long running process on the client side like filling
    out a very long form, so you really can't afford to allow the app to
    redirect the user to a different page in the middle of this.

    If you still want the auth to time out, you'll probably need to invest in
    some client side javascript that will "test" whether the form post can be
    submitted without a timeout via some type of AJAX call and if it is going to
    fail, instead pop up a new window (or some type of overlay) that allows the
    user to reauthenticate without a change to the underlying page. Basically,
    if the server redirects the user to log in again as a result of an
    authentication failure and issues a 302 redirect to the browser, the user
    will lose all their data so you'll need to make sure the page never submits
    an action that will cause this to happen. Client side script is the only
    thing I can think of here.

    In the future, you may also want to consider allowing the app to auto save
    and allow for violations of the business rules for intermediate (not
    submitted) data. Basically, you need a function like email clients have to
    "save as draft" with auto save. Gmail and OWA do a nice job with this in
    the browser.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "Chuck" <> wrote in message
    news:...
    > Would have to be an unattended autosave, incase the user is away from the
    > desk.
    > Also would have to change the logic of the save to not require required
    > fields before saving. Which involve removing constraints from the
    > database
    > or changing to some sort of temporary data storage. Not trivial or even a
    > good idea IMHO.
    >
    >
     
    Joe Kaplan, Jun 4, 2009
    #8
  9. Chuck

    Chuck Guest

    We use the forms authentication timeout for security purposes. So coding to
    defeat the timeout using javascript or chaning the timeout value, would not
    be looked upon kindly.

    I have about 50 sites that use the same FormsAuthentication site, so
    rewriting 50 websites or chaning or methodology on any of them would be
    hugely expensive. Also it is somewhat repulsive to me to have to change a
    data access methodology when a possible two line coding solution could be
    available.

    Hence my post for asking specfically about handlinge time outs without
    loosing data on the redirect.
    Maybe popup a logon page versus a redirect or something
     
    Chuck, Jun 9, 2009
    #9
  10. Chuck

    Chuck Guest

    Anyway to get a response from a MS support engineer within 48 hours?
     
    Chuck, Jun 10, 2009
    #10
  11. Hi Richard,

    >Hence my post for asking specfically about handlinge time outs without
    >loosing data on the redirect.
    >Maybe popup a logon page versus a redirect or something


    I think Alexey Smirnov's suggestion a good way to solve this issue if you
    want enable the timeout. You can store data in cookie (client side) or
    database (server) or other places where the client can access later.

    If you need a simple workaround, I think you can use JavaScript to popup a
    new window to temporarily save data. If the timeout is 10 minutes you can
    pop up a window after 9 minutes.

    In main page, call this JS to popup window:

    <script type="text/javascript">
    function Popup()
    {

    var w = window.open("NewWindow.aspx?data=" +
    document.getElementById("testinput").value);
    }

    </script>

    <input id="testinput"></div>

    Use settimeout if needed:

    http://www.w3schools.com/htmldom/met_win_settimeout.asp

    In the popup window, call this JS to fill data back:

    <script type="text/javascript">
    function FillData() {

    window.opener.document.getElementById("testinput").value =
    GetQueryString("data");
    }
    function GetQueryString(ji) {
    hu = window.location.search.substring(1);
    gy = hu.split("&");
    for (i = 0; i < gy.length; i++) {
    ft = gy.split("=");
    if (ft[0] == ji) {
    return ft[1];
    }
    }
    }

    </script>
    <input onclick="FillData();" value="Fill Data" />

    Please let me know if it can resolve this issue and feel free to ask if you
    have additional questions.

    Regards,
    Allen Chen
    Microsoft Online Support

    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

    Note: MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 2 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions. Issues of this
    nature are best handled working with a dedicated Microsoft Support Engineer
    by contacting Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
    ==================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Allen Chen [MSFT], Jun 10, 2009
    #11
  12. Chuck

    Joe Kaplan Guest

    The thing with a pop up login page is that you would need to implement that
    with client side code. The server can only issue a redirect if a resource
    is requested and authorization is denied. This is why I suggested a client
    side change to implement something like this. Unfortunately, the server
    can't really generate a popup because it just issues 302 redirects.

    The only thing I can think of to help with this on the server side would be
    to implement some sort of HTTP module that might detect that a POST request
    was being redirected to the login page and somehow block that, but I still
    think you'd need some client code changes to accomplish this. Perhaps the
    data could be added to session and then after the user is redirected back to
    the page it could be added into the page data during the GET request after
    the login? That would certainly be more than 2 lines but might not be
    horribly difficult. Most of the code would be involved with capturing the
    raw form post data and adding back into the editable fields during the GET.
    Just a thought.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "Chuck" <> wrote in message
    news:...
    > We use the forms authentication timeout for security purposes. So coding
    > to
    > defeat the timeout using javascript or chaning the timeout value, would
    > not
    > be looked upon kindly.
    >
    > I have about 50 sites that use the same FormsAuthentication site, so
    > rewriting 50 websites or chaning or methodology on any of them would be
    > hugely expensive. Also it is somewhat repulsive to me to have to change a
    > data access methodology when a possible two line coding solution could be
    > available.
    >
    > Hence my post for asking specfically about handlinge time outs without
    > loosing data on the redirect.
    > Maybe popup a logon page versus a redirect or something
    >
     
    Joe Kaplan, Jun 10, 2009
    #12
  13. Hi Chunk,

    >Hence my post for asking specfically about handlinge time outs without
    >loosing data on the redirect.
    >Maybe popup a logon page versus a redirect or something


    Have you solved this issue?

    Regards,
    Allen Chen
    Microsoft Online Support
     
    Allen Chen [MSFT], Jun 15, 2009
    #13
  14. Chuck

    Chuck Guest

    nope

    "Allen Chen [MSFT]" wrote:

    > Hi Chunk,
    >
    > >Hence my post for asking specfically about handlinge time outs without
    > >loosing data on the redirect.
    > >Maybe popup a logon page versus a redirect or something

    >
    > Have you solved this issue?
    >
    > Regards,
    > Allen Chen
    > Microsoft Online Support
    >
    >
     
    Chuck, Jun 17, 2009
    #14
  15. Hi Chunk,

    >nope


    Could you tell me have you tried my code or the Silverlight approach? If so
    why them cannot meet your requirement? Please let me know the reason so
    that we can discuss further.

    Regards,
    Allen Chen
    Microsoft Online Support
     
    Allen Chen [MSFT], Jun 18, 2009
    #15
  16. Chuck

    Chuck Guest

    Didn't see the Silverlight approach.
    Can't use a javascript approach because of complex controls in the page.
     
    Chuck, Jun 18, 2009
    #16
  17. Hi Chunk,

    >Didn't see the Silverlight approach.


    The Silverlight approach is to use isolated storage (mentioned in my reply
    to your another thread):

    https://silverlight.net/blogs/msnow/archive/2008/07/16/tip-of-the-day-19-usi
    ng-isolated-storage.aspx

    >Can't use a javascript approach because of complex controls in the page.


    Could you clarify what do you mean by "complex controls"? I think you can
    write custom controls if needed to generate these JavaScripts. Then you can
    reuse them in your all projects. To register JavaScript via custom control
    please refer to this project:

    http://cid-2fa13ebc6cc8e80f.skydrive.live.com/self.aspx/Public/RegisterClien
    tScriptResource%7C_lvl%7C_300.zip

    Regards,
    Allen Chen
    Microsoft Online Support
     
    Allen Chen [MSFT], Jun 19, 2009
    #17
  18. Hi Chunk,

    >Didn't see the Silverlight approach.
    >Can't use a javascript approach because of complex controls in the page.


    Have you solved this issue? Please don't hesitate to let me know if you
    need further assistance.

    Regards,
    Allen Chen
    Microsoft Online Support
     
    Allen Chen [MSFT], Jun 26, 2009
    #18
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. .NET Follower

    Meaning Of Timeout in FormsAuthentication???

    .NET Follower, Feb 6, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    387
    .NET Follower
    Feb 6, 2004
  2. Danny
    Replies:
    1
    Views:
    1,385
    Craig Deelsnyder
    Jun 17, 2004
  3. tshad
    Replies:
    8
    Views:
    2,168
    =?Utf-8?B?UGF0cmljay5PLklnZQ==?=
    Jan 14, 2005
  4. =?Utf-8?B?Q3JhaWc=?=

    formsauthentication timeout & session timeout

    =?Utf-8?B?Q3JhaWc=?=, Aug 10, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    2,711
    =?Utf-8?B?RU5JWklO?= .enizin.net>
    Aug 10, 2005
  5. Mark Probert

    Timeout::timeout and Socket timeout

    Mark Probert, Oct 6, 2004, in forum: Ruby
    Replies:
    1
    Views:
    1,367
    Brian Candler
    Oct 6, 2004
Loading...

Share This Page