Windows Authentication/Session Timeout issue

Discussion in 'ASP .Net Security' started by jamminjime@gmail.com, Sep 18, 2007.

  1. Guest

    Since all of the brightest at Microsoft seem to be in here, I will ask
    you guys this question.

    We have an intranet application using Windows Authentication. I was
    NOT in on writing it, I just have to squash the bugs. This
    application has a timeout set in the web.config file of xx minutes.
    USING WINDOWS Authentication, we don't have a login page. When the
    session times out and a user tries to continue working (long lunch,
    etc), it throws an error something like "Session is in an invalid
    state" or something to that effect. I am sure that their session has
    timed out and they need to return to the main page and start over.

    My question to the group is....

    How can I redirect an asp.net application that uses Windows
    Authentication upon session timeout?

    I have seen alot of OLD posts stating that you should use Forms
    Authentication to do this or use the Meta tag REFRESH to handle it. I
    am an older coder which means I am lazy and want to do this the
    easiest way possible (and without checking out some 300 web forms from
    VSS).

    Any ideas?

    Thanks,

    Jamminjime
     
    , Sep 18, 2007
    #1
    1. Advertising

  2. Joe Kaplan Guest

    Authentication and session state are not related with either forms auth or
    window auth. Session state is maintained via a cookie. With forms auth, a
    different cookie is used (with potentially a different timeout), while with
    Windows auth, the authentication state is maintained with different headers.

    When you are using Windows auth, your authentication doesn't become invalid
    if your session state times out. You are still authenticated. You just need
    to anticipate in your code that your session data that you need might not be
    there and return the user to a known safe starting place.

    One way to do this would be simply check if the session data you need isn't
    there and then redirect to where you need to be to get to a known good
    state. You can also do some fancier stuff using global.asax events to check
    for session start events in places where a new session should not be started
    and handle the problem from there.

    Another thing to consider is to avoid using session state in the first
    place. Users tend to hate it as they can't go to lunch without losing the
    work they were in the middle of doing (unless you use very long timeouts,
    although that just disguises the problem). Use other state management
    techniques like cookies, query strings, form fields/view state or
    persistence of intermediate data to your database.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    <> wrote in message
    news:...
    > Since all of the brightest at Microsoft seem to be in here, I will ask
    > you guys this question.
    >
    > We have an intranet application using Windows Authentication. I was
    > NOT in on writing it, I just have to squash the bugs. This
    > application has a timeout set in the web.config file of xx minutes.
    > USING WINDOWS Authentication, we don't have a login page. When the
    > session times out and a user tries to continue working (long lunch,
    > etc), it throws an error something like "Session is in an invalid
    > state" or something to that effect. I am sure that their session has
    > timed out and they need to return to the main page and start over.
    >
    > My question to the group is....
    >
    > How can I redirect an asp.net application that uses Windows
    > Authentication upon session timeout?
    >
    > I have seen alot of OLD posts stating that you should use Forms
    > Authentication to do this or use the Meta tag REFRESH to handle it. I
    > am an older coder which means I am lazy and want to do this the
    > easiest way possible (and without checking out some 300 web forms from
    > VSS).
    >
    > Any ideas?
    >
    > Thanks,
    >
    > Jamminjime
    >
     
    Joe Kaplan, Sep 19, 2007
    #2
    1. Advertising

  3. Have you considered using a global error handler for this? In your
    Application level error event, you can check for this specific type and
    redirect the user. You could either transport them to a page that's a valid
    starting point for sessions or to an interstitial page that first informs
    them that there session has timed out and then takes them to the valid
    starting point.

    "" wrote:

    > Since all of the brightest at Microsoft seem to be in here, I will ask
    > you guys this question.
    >
    > We have an intranet application using Windows Authentication. I was
    > NOT in on writing it, I just have to squash the bugs. This
    > application has a timeout set in the web.config file of xx minutes.
    > USING WINDOWS Authentication, we don't have a login page. When the
    > session times out and a user tries to continue working (long lunch,
    > etc), it throws an error something like "Session is in an invalid
    > state" or something to that effect. I am sure that their session has
    > timed out and they need to return to the main page and start over.
    >
    > My question to the group is....
    >
    > How can I redirect an asp.net application that uses Windows
    > Authentication upon session timeout?
    >
    > I have seen alot of OLD posts stating that you should use Forms
    > Authentication to do this or use the Meta tag REFRESH to handle it. I
    > am an older coder which means I am lazy and want to do this the
    > easiest way possible (and without checking out some 300 web forms from
    > VSS).
    >
    > Any ideas?
    >
    > Thanks,
    >
    > Jamminjime
    >
    >
     
    Kyle M. Burns, Sep 21, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Do
    Replies:
    2
    Views:
    6,382
  2. =?Utf-8?B?Um9iSEs=?=
    Replies:
    4
    Views:
    5,294
    =?Utf-8?B?Um9iSEs=?=
    Apr 11, 2007
  3. Freddie
    Replies:
    0
    Views:
    231
    Freddie
    Jun 29, 2004
  4. jonefer

    Handling Session Timeout in Windows authentication

    jonefer, Feb 6, 2007, in forum: ASP .Net Security
    Replies:
    0
    Views:
    304
    jonefer
    Feb 6, 2007
  5. Mark Probert

    Timeout::timeout and Socket timeout

    Mark Probert, Oct 6, 2004, in forum: Ruby
    Replies:
    1
    Views:
    1,293
    Brian Candler
    Oct 6, 2004
Loading...

Share This Page