Forms Authentication and recycling web.config

D

DotNetGruven

Hi,

I'm noticing that if web.config is changed, the web app is restarted and all Sessions are restarted as expected, but with Web Form authentication, it seems like the user is still authenticated. This allows the user to keep on trucking, but without any session state.

Adding the following code to Session_Start in global.aspx.cs

protected void Session_Start(Object sender, EventArgs e)
{ if ( User.Identity.IsAuthenticated ) { FormsAuthentication.SignOut(); }}
Fixes the problem, but I'm shocked that a google of ASP.NET Session_Start IsAuthenticated SignOut doesn't return a bunch of info and an explanation.

Can anyone explain this?

TIA
geo
 
B

bruce barker

authentication is independant of session management (you can turn session support off like I do and still use authenication). it done with either url munging or cookies, your choice. you can also pick session management handlers (any non-inproc) that do not recycle on site changes.

-- bruce (sqlwork.com)


Hi,

I'm noticing that if web.config is changed, the web app is restarted and all Sessions are restarted as expected, but with Web Form authentication, it seems like the user is still authenticated. This allows the user to keep on trucking, but without any session state.

Adding the following code to Session_Start in global.aspx.cs

protected void Session_Start(Object sender, EventArgs e)
{ if ( User.Identity.IsAuthenticated ) { FormsAuthentication.SignOut(); }}
Fixes the problem, but I'm shocked that a google of ASP.NET Session_Start IsAuthenticated SignOut doesn't return a bunch of info and an explanation.

Can anyone explain this?

TIA
geo
 
S

Steven Cheng[MSFT]

Hi Geo,

I think Bruce's suggestions are quite reasonable. Generally the asp.net
formsauthentication 's token is stored in cookie. Cookie is some files
stored in the client user's machine that's why it can remain even afte the
web application is restarted.
#Basics of Cookies in ASP.NET
http://msdn.microsoft.com/library/en-us/dv_vstechart/html/vbtchASPNETCookies
101.asp?frame=true

And the session state are server side resources and by default it stored
in the server's memory and will be lost when the applicaiton restarted. The
session state has no relation with the formsauthentcaiont's token
maintainance.
#ASP.NET Session State
http://msdn.microsoft.com/library/en-us/dnaspnet/html/asp12282000.asp?frame=
true

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx
 
S

Steven Cheng[MSFT]

Hi Geo,

Have you had a chance to check out the suggestions in the former replies or
have you got any further ideas on this issue? If you have anything unclear
or if there're anything else we can help, please feel free to post here.
Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,901
Latest member
Noble71S45

Latest Threads

Top