Hi I'm using the default ASP.NET MVC Forms Authentication Membership Provider.
<authentication mode="Forms">
<forms loginUrl="" timeout="300" slidingExpiration="true"/>
</authentication>
I have a polling method that polls every minute. Whenever this method polls the expiration timer gets reset and the authentication cookie is valid for another 300 seconds.
I was wondering if it is possible to define per function if this the expiration timer gets reset or not, because this polling function should not reset this timer and the user gets logged off automatically after 300 seconds.
I'm using MVC 3.0.0.1
Edit
Regarfing to Adam Carr's answer. You're right, that would be pretty simple.
But I'm not able to put the logic in the Javascript part. We have a policy that allows only one session per user. If a user with the same credentials logges in with the same credentials in another browser the first users sessions gets terminated and redirected to the login page.
It would be easy if we were able to use web sockets like SignalR, but in this case I think it would be too much overhead fur only one function.
Why not put the logic in to the JavaScript sending the request. If you dont wont to reset the timer then don't send the keep alive.
Related
I have an ASP.NET MVC (not Core) web app that uses another site to authenticate the user, which involves navigating to the other site and back. I store information in the Session variable that I want to read after the user comes back to the original site, but the session when the user comes back is a new one, not the one I stored the information in.
Why/how is ASP.NET deciding to start a new session (or not remember the old one)? Is there some way to make it behave the way I want?
Well, I've figured this out. The problem is that the authentication site's page does a POST to return to the original site. The ASP.NET session cookie has SameSite=Lax, so a cross-site POST like this won't send it. Since ASP.NET doesn't see the cookie, it creates a new session and associated cookie, overwriting the original one.
The solution (or a solution, anyway), is to mark the cookie as SameSite=None and Secure, which I did by adding the following to my Web.config:
<sessionState cookieSameSite="None" />
<httpCookies requireSSL="true" />
The first line makes the session cookie SameSite=None, and the second line makes all cookies to Secure.
In the .NET application, we have given access to 3 authorized users with Log-in credentials. They are,
1)Admin
2)Marketer
3)Funder
Now, out of the 3 users above, Admin session should be unlimited. He should not be logged out now matter for how long the application is idle and he has not clicked on log-out button. How to do this in web.config file in ASP.NET application.
There is technically no way to set it to unlimited, as far as I am aware, however there are several ways to prevent the timeout. The keyword is prevention, both methods I am about to link include refreshing the timeout internally as long as a page is opened. You could wrap the logic in something that will be included in every page and go with that.
Prevent Session timeout with JS
This is the first method, preventing session time out with a javascript that makes requests to another specific page that has no cache.
Prevent Session timeout with Iframe and Meta Refersh
Another method involving embedding an iframe to a specific page which plays around with Meta Refresh which is used to refresh a given page on a given time.
Things to consider:
You can artificially increase the session timeout in web.config to its maximum, which should be exactly one year or 526500 minutes according to this post.
There's usually an automatic recycle of your application pool which is configured in IIS or idling of your website after 20 minutes. The idle will be prevented by both techniques, however you can set it to 0 just in case. However, I'm not sure whether the recycle affects the session once it hits - you have to research it additionally.
I am developing ASP.NET MVC application. I made some changes to save some extra info in cookie in latest version.
Few of my customers are still running old version.
Is there any way to expire the existing cookies of my existing customer and enforce them to log-on again when they connect to my new application hosted in IIS?
Thanks,
You could use the SignOut static method:
FormsAuthentication.SignOut();
This will remove the authentication cookie and on subsequent requests the user will not be authenticated. I stressed the word subsequent because after calling this method you should redirect.
I am giving newer name to my cookie in web.config, and this seem to solve my problem:-
<forms loginUrl="~/Account/LogOn" name="InsightWebMobileCookie2" timeout="10000" slidingExpiration="true" />
The problem here is you cannot read the cookie expiration date so you don't know from the cookie who the old users are.
So your options are:
If you can figure out who is from the 'old' version - have logic to expire their cookie.
Force everyone to logout once if they dont have a cookie named "VersionLogout". Once you force their logout, set a cookie named "VersionLogout" with a value of 1.2 for example, this way you know you've forced their logout for a particular version and they (going forward) won't be prompted again.
You would put that code in a Application_AuthenticateRequest event in the global.asax. at this point a user has been authenticated so you can check their cookie there.
I want to detect when a asp.net Form Authentication ticket has expired. I then want to log to the server the user that was signed out because of inactivity. Is there an event that fires on the server when the authentication ticket has expired?
<sessionState mode="InProc" timeout="5"></sessionState>
<authentication mode="Forms">
<forms loginUrl="~/Home/AccessDenied" timeout="5" />
</authentication>
In the global asax file, I have tried the Session_OnEnd(). But the context.user object is null. When i call membership.getuser() it returns null also. I have tried making the session timeout before the auth but that doesn't help. I am using mvc3 and ii7.5.
Session and forms authentication have two completely separate timeouts.
See my posting on this here:
How can I handle forms authentication timeout exceptions in ASP.NET?
In Application_PreRequestHandlerExecute you need to check the ticket.
Also be sure your session and forms auth timeouts are in sync using the code I posted there. Not just setting both to say 60 minutes. Since forms auth doesn't update the 'touched' time until half of the time passes by, and session time is updated on every request, they get out of sync.
For example I have a web application using jQuery as a framework on the client side. Now most of the pages are functional by means of using AJAX and communicate to the server by means of using Generic Handlers (.ashx).
Now I have a problem that I am asking this to see what is the best solution for handling these request when my user session expires.
For example, a user logged in, left his browser for 15 minutes and then he pressed a button that this will create a request to the handler, now from the server side when I try to read a session variable obviously it will be empty (session expired). What is the best way to redirect the user back to the login page.
We address this situation by a slightly different approach. Instead of trying to make all the jQuery calls deal with this kind of error condition, we have implemented a parallel timeout system on the client using javascript. A minute before the ASP.NET Session would time out, we pop up a dialog on the browser to warn the user "You have been inactive and are about to be logged out. Click here to remain logged in." We included a little countdown in the dialog also. If they click to stay logged in, we send another jQuery call to the server to reset the session timeout.
So, unless the user has javascript disabled (in which case, the app doesn't work anyway), there is not a possibility that we make a jQuery call after the ASP.NET session has timed out.