Forms Authentication Problem: Session expired, pages can still be visited.

[gnewsgroup]

I am using forms authentication for a web application.

Like many other member web application, my web application prints out

Welcome! John Doe (Logout)

on the top right corner of each protected page.

But, pages can still be visited by following the links in the web
application after a session has timed out, data can still be retrieved
from the database. I know the session has timed out because at the
top right corner I only see

Welcome! (Logout)

However, when a user explicitly signs out by clicking on Logout,
protected pages are no longer accessible, and they'll be redirected to
Login.aspx.

The code-behind of my logout page is this:

public partial class Logout : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
Session["UserName"] = "Junk user name";
Session.Abandon();
FormsAuthentication.SignOut();
Response.Redirect("Login.aspx");
}
}

I did the same thing in global.asax's Session_End method like so:

void Session_End(object sender, EventArgs e)
{
Session.Abandon();
FormsAuthentication.SignOut();
Response.Redirect("Login.aspx");
}

I am wondering how I can really protect the protected pages when a
session has timed out. I must have missed something in this
authentication scheme. Please kindly give me a hint. Thanks.

 

[bruce barker]

authentication and session are unrelated and perform different
functions. they commonly have the same timeout but don't have to match.
also while sessions (if inproc) can recycle before the timeout,
authentication doesn't.

in your case it seems session are recycling. check the log for why the
recycle.

-- bruce (sqlwork.com)