Session expiration and authentication

[Marcio Kleemann]

I'm using FormsAuthentication for an asp.net app. I would like the user to
be re-authenticated (redirected to the login page) if there is not activity
after a certain period of time. So I'm using Session.Timeout to set a
timeout period, and on Session_End() I call FormsAuthentication.SignOut.

My main problem is that after SignOut, the re-authentication does not
occur - I can still access the pages of the app as if I'm still
authenticated. Another interesting thing is that in Session_End I also
called Session.Clear(), but when the page posts back it can still access the
values that were previously stored in session variables. It's as if the
session never expired and the variables did not get cleared. I have a
breakpoint on Session_End, so I know that those functions are being called.

I'm new to this, so I'm wondering what I might be doing wrong. I'd
appreciate pointing me in the right direction, or to articles that go over
this in more detail.

Thanks

 

[David Coe, MCP]

When you clear the session state, validate that the count goes to 0. You may also need to call Session.Abandon() to completetly cancel the session.

 

[Marcio Kleemann]

Thanks for the suggestion. I think I have most everything working: if I use
a "logout" button I clear the session and do a FormsAuthentication.Signout
successfully (which forces the user back to the login page; if the timeout
for the forms authentication (from web.config) lapses, then the user also
gets sent back to the login page, where with some logic I can clear the
session too.

However, I still have a problem:

When I trap Session_End(), I need to also call
FormsAuthentication.SignOut(). This is because if a session ends before the
forms authentication's own timeout out passes, I need to sign out to clear
the authentication ticket. However, whenever I call .SignOut() from within
Session_End, the function is not successful; that is, the user can continue
working on the web site without being redirected back to the login page.
Anywhere else that I call SignOut from other pages it seems to be OK, only
from SessionEnd() (or would it be anywhere in global.asax?) it seems to not
work.

Any other ideas?

When you clear the session state, validate that the count goes to 0. You

may also need to call Session.Abandon() to completetly cancel the session.

 

[Eric Marvets]

The user has to be at the site, because when you call SignOut, it has to be
able to clear the cookie on the client. There is no direct way of doing
what you're trying to do.

You could explore some server side options of maintaining a list of logged
in users, or in session onstart, always force a log in, something of that
nature.


--
Eric Marvets
Principal Consultant

the bang project

<shameless self promotion>

Email (e-mail address removed) for Information on Our
Architecture and Mentoring Services

</shameless self promotion>

 

[Marcio Kleemann]

OK, that makes sense - I hadn't thought of that. Thanks!