I want to detect when a asp.net Form Authentication ticket has expired. I then want to log to the server the user that was signed out because of inactivity. Is there an event that fires on the server when the authentication ticket has expired?
<sessionState mode="InProc" timeout="5"></sessionState>
<authentication mode="Forms">
<forms loginUrl="~/Home/AccessDenied" timeout="5" />
</authentication>
In the global asax file, I have tried the Session_OnEnd(). But the context.user object is null. When i call membership.getuser() it returns null also. I have tried making the session timeout before the auth but that doesn't help. I am using mvc3 and ii7.5.
Session and forms authentication have two completely separate timeouts.
See my posting on this here:
How can I handle forms authentication timeout exceptions in ASP.NET?
In Application_PreRequestHandlerExecute you need to check the ticket.
Also be sure your session and forms auth timeouts are in sync using the code I posted there. Not just setting both to say 60 minutes. Since forms auth doesn't update the 'touched' time until half of the time passes by, and session time is updated on every request, they get out of sync.
Related
Hi I'm using the default ASP.NET MVC Forms Authentication Membership Provider.
<authentication mode="Forms">
<forms loginUrl="" timeout="300" slidingExpiration="true"/>
</authentication>
I have a polling method that polls every minute. Whenever this method polls the expiration timer gets reset and the authentication cookie is valid for another 300 seconds.
I was wondering if it is possible to define per function if this the expiration timer gets reset or not, because this polling function should not reset this timer and the user gets logged off automatically after 300 seconds.
I'm using MVC 3.0.0.1
Edit
Regarfing to Adam Carr's answer. You're right, that would be pretty simple.
But I'm not able to put the logic in the Javascript part. We have a policy that allows only one session per user. If a user with the same credentials logges in with the same credentials in another browser the first users sessions gets terminated and redirected to the login page.
It would be easy if we were able to use web sockets like SignalR, but in this case I think it would be too much overhead fur only one function.
Why not put the logic in to the JavaScript sending the request. If you dont wont to reset the timer then don't send the keep alive.
In web.config I've configured forms authentication as follows:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx"
timeout="20"
slidingExpiration="true"/>
</authentication>
Initially the ASPXAUTH cookie is set correctly. Using Firefox's cookie viewer I can see the cookie and the expiration period is correct (20 mins).
Sliding expiration also sets an updated cookie correctly (20 more mins added).
But after that any new http request (even if made within the next 5 mins) will result in 302 error and redirects to Login.aspx as if authentication has expired.
Application details below:
target asp.net 4
iis 7.5
shared hosting but with dedicated pool (recycling did not help).
Login.aspx uses the asp Login control for authentication (no custom cookie).
Any ideas?
This could have many reasons.
Is this happening on your local machine, too? Have you maybe configured a httpCookie Domain in web.config which doesn`t match your local host environment?
Have you configured a machinekey (validation/encryption)? This can be important in load balanced scenarios.
Do you use dynamic content caching in IIS?
Have a look into your event log. Per default 302 errors based on a failed forms authentication are logged there. Are there any entries telling why you have are considered being unauthenticated? It could help identifying the root cause (ticket expired, could not be decrypted etc.)
Also keep in mind, that the expiration of a forms authentication cookie is not extended on each request. A forms authentication cookie is refreshed after 50% of the original timeout has passed (in your case 10 mins). So configure your session timeout appropriately.
I am developing ASP.NET MVC application. I made some changes to save some extra info in cookie in latest version.
Few of my customers are still running old version.
Is there any way to expire the existing cookies of my existing customer and enforce them to log-on again when they connect to my new application hosted in IIS?
Thanks,
You could use the SignOut static method:
FormsAuthentication.SignOut();
This will remove the authentication cookie and on subsequent requests the user will not be authenticated. I stressed the word subsequent because after calling this method you should redirect.
I am giving newer name to my cookie in web.config, and this seem to solve my problem:-
<forms loginUrl="~/Account/LogOn" name="InsightWebMobileCookie2" timeout="10000" slidingExpiration="true" />
The problem here is you cannot read the cookie expiration date so you don't know from the cookie who the old users are.
So your options are:
If you can figure out who is from the 'old' version - have logic to expire their cookie.
Force everyone to logout once if they dont have a cookie named "VersionLogout". Once you force their logout, set a cookie named "VersionLogout" with a value of 1.2 for example, this way you know you've forced their logout for a particular version and they (going forward) won't be prompted again.
You would put that code in a Application_AuthenticateRequest event in the global.asax. at this point a user has been authenticated so you can check their cookie there.
In my ASP .NET web application, when I first navigate to the login page, I do not see a Set-Cookie header coming back in the response from the server. I expect to see one that looks something like:
ASP.NET_SessionId=efypn5ihkam3pdcuucmbykvi; path=/; HttpOnly
Here is my sessionState config entry in the web.config:
<sessionState mode="InProc" cookieless="false" timeout="480"/>
I've cleared my cookies in my browser, then navigated to the login page. No Set-Cookie. After I log in to the application, it does send a cookie back for session tracking.
Other apps I've built work fine...this one is giving me trouble. Any ideas?
Usually, the session state isn't started until you create your first session state variable, which usually begins with authentication (after logging in). Unless your deliberately creating a sessionstate variable on the login page request, you shouldn't see one until you actually log in.
I had this problem that when I signed in with local host iis there were no problem but when I signed in with my site the session cookie and login cookie was not set.
The problem was in web.config that I hadn't sync that with my webserver.
I'm using Forms Authentication in my current ASP.NET Web Application (not MVC) and my IIS 6 server is configured with the following options:
in the [directory security tab] -> [Authentication Methods] I have:
the anonymous access Enabled
Integrated windows authentication Enabled
Do the above options prevent Forms Authentication from working properly? In other words, what is the proper IIS 6 configuration for Forms Authentication?
EDIT
I just made test with the two options above enabled and the Forms Authentication session expired and redirected me to the login page, but all the answers so far advise that [Integrated windows authentication] should be off!
Here is a check list for using ASP.NET Forms Authentication on IIS6
Configure IIS:
In IIS, Site Properties -> Directory Security -> Authentication and Access Control
Enable Anonymous Access
Disable all Authenticated access methods
Configure Forms Authentication:
Configure Forms Authentication in your site's web.config:
<authentication mode="Forms">
<forms name="MySite"
path="/"
loginUrl="~/logon.aspx"
protection="All"
timeout="30"
slidingExpiration="true" />
</authentication>
Your name and loginUrl may vary. The slidigExpiration attribute is used to keep extending the forms authentication cookie lifetime rather than just kicking the user off of the site after the timeout has expired. The timeout value is in minutes.
Configure Session Timeout:
You need to configure your session state timeout to be longer than your Forms Authentication ticket expiry. If you don't do this then an idle session can time out the session but leave the user logged in. Code that expects Session values to be present will throw exceptions because they are gone even though they are still authenticated. The timeout value is also in minutes.
<sessionState mode="InProc" timeout="40" />
Because forms authentication does not rely on IIS authentication, you should configure anonymous access for your application in IIS if you intend to use forms authentication in your ASP.NET application.
See here http://msdn.microsoft.com/en-us/library/ff647070.aspx for more information.
The anonymous access should be enabled, I don't think integrated windows authentication makes a difference but if you're not going to need it then it's best to turn it off. The important thing to remember is to make sure it's turned on in web.config:
<authentication mode="Forms" />
Here's a basic tutorial that might be useful:
Overview of Forms Authentication
Anonymous access -> checked
All other option on the security tab -> unchecked
Note, forms authentication is done by .NET - not by IIS. Also, Windows Authentication MUST be off as well.
Rather technical explanaitions by MS.