Extending Forms Authentication Timeout When Making AJAX Calls With jQuery

Question

I'm looking to rewrite a pretty intensive CRUD type ASP.NET page to utilize ajax calls (specifically jQuery ajax). My concern in doing this is that the user may be on this page longer than the forms authentication timeout. Because of this, I'm thinking that I should extend the forms authentication ticket with each ajax call (basically how it does in a normal web forms submit model). So the questions:

Is this even a valid concern? If so, would writing a jQuery plugin to extend the forms authentication timeout be possible? Does one already exist? Would using ASP.NET AJAX be a better approach?

Any comments\help would be appreciated.

Answer 1

I use this for my keepalive webservice. Modify this to your liking and let me know if it works... Note: session("UID") is a variable I setup at login. I name my ticket the same

<WebMethod(CacheDuration:=0, EnableSession:=True)> _
Public Function keepSessionAlive() As String
    If Session("UID") Is Nothing OrElse Session("UID") = 0 Then
        Throw New ApplicationException("Login")
    End If

    Session("lastKeepSessionAlive") = DateTime.Now

    If Not (Context.Request.Cookies(System.Web.Security.FormsAuthentication.FormsCookieName) Is Nothing) Then
        Dim ticket As System.Web.Security.FormsAuthenticationTicket
        Try
            ticket = System.Web.Security.FormsAuthentication.Decrypt(Context.Request.Cookies(System.Web.Security.FormsAuthentication.FormsCookieName).Value)
            If ticket.Name = Context.Session("UID") Then
                System.Web.Security.FormsAuthentication.SetAuthCookie(Context.Session("UID"), False)
                Debug.WriteLine("keepAlive:AuthenticationReset")
            End If
        Catch ex As Exception
            Debug.WriteLine("keepAlive:AuthenticationReset FAILED!!!")
            Throw New ApplicationException("Login")
        End Try
    Else
        Debug.WriteLine("keepAlive.Load: No Authentication Cookie. Error")
        Throw New ApplicationException("Login")
    End If

    Return Session.SessionID.ToString
End Function

Answer 2

I can confirm that making a web service or page method call through jQuery will extend an ASP.NET session expiration in the same way that a regular postback will.

I often use a five minute setInterval() to call a "keep-alive" service, which will preserve the user's session indefinitely even if they leave the application idle.

Answer 3

Forms auth works via a cookie. Cookies are sent with XMLHttpRequest requests, so I don't think there's a problem here.

Note that there is an issue related to the FormsAuthTicket expiring, and being forced to redirect to login.aspx or some such. But that's an entirely different scenario than what you're talking about.

Answer 4

You should be able to use MS Ajax without the Script manager and use jQuery to consume the WebMethods. More info doing so here

As far as I know, calling a WebMethod will extend the user's session timeout. So this approach may be a best of both worlds.

Answer 5

Use Fiddler or some other utility to see if Microsoft was smart enough to make sure the cookie gets updated between AJAX calls. You may have better luck (with regard to automatic updating of the forms auth tickeet) if you use Microsoft's baked-in asp.net AJAX (which is substantially similar).

Answer 6

I don't think I completely understand what it is you're asking but in terms of the jquery ajax timeout, you can set the local timeout in the ajax call.

Example:

$.ajax('ajax.php',{timeout: 60000},function (data) {
alert(data);
}