Reputation: 1016
Forms authentication after a user session has expired
I have an asp Login control in a jQueryUI dialog box that is hidden until a user's session is near or has already passed expiration. I'm reading a custom field in the aspxauth cookie from client script to display an "extend your session" message, which if the user clicks, sends an async XHR to the server which returns cookies with updated values. All of this is working fine. My problem comes when a user does not respond to the "extend session" message and their session expires. They then see the jQuery dialog with the Login control which should allow them to authenticate without taking them to the default login page. When a user submits their credentials via the login control is takes them to the default login page and does not authenticate them. What do?
- I am not using ASP.NET AJAX
- I have implemented the FormsAuthentication_OnAuthenticate event in the Global.asax, so I do have access to the FormsAuthenticationEventArgs object there if that helps.
Upvotes: 1
Views: 744
Answers (2)
Reputation: 7539
You need to extend the FormsAuthentication timeout at the same time you extend the session.
Here is something I use
public void Extend(int SessionLimit)
{
FormsAuthenticationTicket OriginalTicket = ((FormsIdentity)Context.User.Identity).Ticket;
FormsAuthenticationTicket NewTicket = new FormsAuthenticationTicket(1, OriginalTicket.Name, DateTime.Now, DateTime.Now.AddMinutes(SessionLimit), false, OriginalTicket.UserData);
HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(NewTicket));
authCookie.HttpOnly = true;
HttpContext.Current.Response.Cookies.Add(authCookie);
}
Upvotes: 1
Reputation: 44971
We don't have exactly the same setup as you do and I am not exactly sure how your re-authentication works, so I could be off base, but we had a very similar issue.
The problem that we had was that the page that we used for login re-authentication was under authentication control (i.e. to get to it, you had to be logged in).
The solution was to add an entry to web.config to "unprotect" that page. For example, we added the following to the main configuration element:
<location path="loginreauth.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Once we did this, everything worked correctly.
Upvotes: 0
Related Questions
- Authentication session expires on ASP.NET MVC
- Determine when an ASP.NET Forms Authentication will expire
- .NET Forms Authentication logging out users before timeout
- Forms authentication and session expiry
- ASP.NET Forms Authentication Expiry
- Session expiring and auth cookie remaining
- Forms Authentication Session Valid After Logout
- c# .net - authentication expiring prematurely
- ASP.NET Forms Authentication - Warn user when session is about to end
- How do I force expiration of an ASP.Net session when a user leaves the site?