Re-login if authenticated after session has expired

Discussion in 'ASP .Net Security' started by peter@cooperzone.net, Sep 22, 2006.

  1. Guest

    Hi,
    I have the requirement to allow users to log in just once per day even
    if their session has expired. Sessions are set to 30 minutes, and I'm
    using forms authentication.

    I had this working nicely under .NET 1.1. Once authenticated, I wrote a
    persistent authentication cookie that timed out at 8:00 pm. In the
    Session_Start handler in global.asax I check if the user is
    authenticated and if so, I then run a quick check on the User's name
    (stored in HttpContext.Current.User.Identity.Name) and if everything's
    OK then I issue a new authentication cookie using GetAuthCookie and
    re-create my session variables. This keeps everyone logged in until
    8:00 pm; after that they have to login again.

    However, this isn't working under .NET 2.0. Once the session has
    expired users get sent to the login page. I think this is because the
    way Session_Start fires has changed under 2.0, and it doesn't get
    created until a value is actually written into the Session object.

    Does anyone know of a workaround for this, or a better way of handling
    this situation; ie how to manage longer authentications than sessions
    under .NET 2.0, and be able to detect when this happens before the user
    gets redirected to the login page (so I can recreate my session
    variables)?

    Hope this makes sense!

    Thanks

    Peter Cooper
     
    , Sep 22, 2006
    #1
    1. Advertising

  2. Joe Kaplan Guest

    I think there is some confusion here. The expiration of a forms-based
    authentication ticket and the user's session state are not related. They
    are governed by two separate systems and two separate cookies. The user's
    session state can expire completely independently of their forms-based login
    status, and vice versa.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    <> wrote in message
    news:...
    > Hi,
    > I have the requirement to allow users to log in just once per day even
    > if their session has expired. Sessions are set to 30 minutes, and I'm
    > using forms authentication.
    >
    > I had this working nicely under .NET 1.1. Once authenticated, I wrote a
    > persistent authentication cookie that timed out at 8:00 pm. In the
    > Session_Start handler in global.asax I check if the user is
    > authenticated and if so, I then run a quick check on the User's name
    > (stored in HttpContext.Current.User.Identity.Name) and if everything's
    > OK then I issue a new authentication cookie using GetAuthCookie and
    > re-create my session variables. This keeps everyone logged in until
    > 8:00 pm; after that they have to login again.
    >
    > However, this isn't working under .NET 2.0. Once the session has
    > expired users get sent to the login page. I think this is because the
    > way Session_Start fires has changed under 2.0, and it doesn't get
    > created until a value is actually written into the Session object.
    >
    > Does anyone know of a workaround for this, or a better way of handling
    > this situation; ie how to manage longer authentications than sessions
    > under .NET 2.0, and be able to detect when this happens before the user
    > gets redirected to the login page (so I can recreate my session
    > variables)?
    >
    > Hope this makes sense!
    >
    > Thanks
    >
    > Peter Cooper
    >
     
    Joe Kaplan, Sep 22, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Gareth
    Replies:
    0
    Views:
    376
    Gareth
    May 13, 2004
  2. Riaan
    Replies:
    17
    Views:
    5,581
    =?ISO-8859-1?Q?G=F6ran_Andersson?=
    May 19, 2006
  3. Keithb
    Replies:
    0
    Views:
    483
    Keithb
    Oct 28, 2006
  4. Gareth
    Replies:
    0
    Views:
    118
    Gareth
    May 13, 2004
  5. Abhijit
    Replies:
    0
    Views:
    151
    Abhijit
    Apr 12, 2004
Loading...

Share This Page