forms authentication redirect problem

[Janette]

Hi All,

I am developing using ASP.NET using VB on .NET framework 1.1.

I have an application that uses forms based authentication. When the session
times out and sends the user back to the login page, I see that it populates
a return_url value and adds it to the url. Such that when the user then
authenticates, the FormsAuthentication.RedirectFromLoginPage then uses the
return_url to return the user back to the page they were on when the session
expired. All well and good, but, some of my pages rely on the previous
content of the session variables to be able to populate the page they were
previously on.

Is there any way of preventing the redirect to the return_url, eg by using
something instead of FormsAuthentication.RedirectFromLoginPage, that only
ever takes the user to the mainmenu page? Or, do I need to add checking for
the existence of the required session values on each page (rather painful if
I do have to).

Please be gentle, I am not very experienced with ASP.NET as you may see by
my question.
Thanks in advance
Janette

 

[Dominick Baier]

RedirectFromLoginPage simply call 2 APIs that you can call yourself,

1. FormsAuthentication.SetAuthCookie to set the ticket
2. Response.Redirect(FormsAuthentication.GetRedirectUrl(..))

2 does the redirect and you can do it yourself.

 

[Joe Kaplan \(MVP - ADSI\)]

In addition, don't confuse forms authentication timeout with session state
timeout. They are tied to different cookies and can have different values.
For example, your session state can time out before your forms auth and vice
versa.

I'd suggest doing a check in your page load to verify that values you expect
to be in session are present and redirect to a "safe" page such as the home
page for the app if they are not. This way, the session state validation is
not tied to any specific authentication mechanism.

Ditching session state where possible is also a good idea. Perhaps you
could put this state in a query string or cookie instead. If the data is
just cached for performance reasons, use the cache object instead.

Joe K.

 

[Janette]

Hi Dominick and Joe,

Dominick - Thanks for your simple explanation of the RedirectFromLoginPage
call. This was exactly what I needed to know.

Joe - regarding your comment on session and authentication timeout, I
actually have them both set to the same timeout period, therefore I know
when a timeout occurs that the user needs to go back to the mainmenu after
logging back in. If I had had some .NET experience prior to this project, I
would have avoided using session state and using a cookie instead, then
people could have continued where they left off when their session expired.
Oh well, something to note for the future.

Thank you both for your replies
Regards
Janette