Reputation: 7340
How can I handle a postback after session expires on an ASP.NET site?
I have a simple ASP.NET 4 site. I am using Forms Authentication. I have Session timeout set to 20 minutes. Also when the user authenticates I set the AuthenticationTicket to expire in 20 minutes. So normally everything works fine. If there is more than 20 minutes of inactivity and the user requests a page on the site they are redirected back to the Login page as I would expect.
However, let's say that the user is on a page that contains a form. Then they wait 25 minutes. Then they go to submit the form. Instead of being redirected back to the Login page, the site attempts the postback and I immediately get errors because there is code in the postback that attempts to get information out of Session.
It seems like ASP.NET does not redirect back to Login on postback if the AuthenticationTicket and Session has expired. How can I handle this? I hope I don't have to write special code on each page.
ADDED: web.config code
<location path="ForgotLogin.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx"></forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
Corey
Upvotes: 4
Views: 3177
Answers (3)
Reputation: 5062
I think you have different timeouts for your session and your authentication cookie. The situation you describe sounds like a session that is timed out with an authentication cookie that is still valid. Look at this article. Especially the section Do you have a dependency between the user's authentication token and his session? is for your situation.
Upvotes: 2
Reputation: 2583
I don't think this is an authentication issue. You can be authenticated and have the session expire. They behave independently from each other.
What kind of information are you storing in session?
If this information is for the page I would recomend keeping it in the ViewState or ControlState. If you are keeping information related to the user. I would create an IHttpModule so whenever an Authenticated user calls your website and your session values are null you recreate them before the user hits any page.
Upvotes: 0
Reputation: 7539
You do need to check on each page if you are not explicitly timing the pages out when the session expires.
Make a base class each page inherits Page from. In the page load event in that class, check for Session.IsNew. There are a couple other things you can check to be totally sure the session has expired.
Upvotes: 1
Related Questions
- asp.net postback timeout
- ASP.NET Session Keys expire after PostBack
- ASP session expiration before timeout setting
- Reset session timeout without doing postback in ASP.Net
- ASP.Net 4 Session expires on postback
- What is the best approach to handle session timeouts in asp.net
- Handle Session Timeout while postback
- ASP.Net Session clearing between postbacks?
- ASP.Net Session Timeout Scenario
- Avoid losing PostBack user input after Auth Session has timed out in ASP.NET