I have an asp.net website using the SQL ASP.net membership system. When users are logged in to the website and are inactive for 20 minutes, they get sent to the login page on the next page request. I would like to show some text on the login page that says "you were logged out due to inactivity" when this happens. Is there a built-in way to do this? Or any other ways I could distinguish why the user has been sent to the login page (for inactivity or some other reason)? I have scoured SO and Google but haven't been able to come up with anything.
The reason we need to do this is because we recently migrated from a previous version of the website that was lax about security and didn't have auto logout, so we're getting lots of feedback from users thinking there's something wrong with the website when they are prompted to login again.
Thanks in advance.
It is better to use javascript for this and be proactive about it, showing the timeout remaining if possible otherwise just alerting the user with a messagebox showing that his session has timed out and then redirecting him to the login page. Have a look here for a simple example.
To redirect him to the login page add the following to the below line as in the example:
alert("Your current Session is over."); window.location = "YourLoginPage.aspx";
For purposes of closure, I'll answer my own question. I couldn't find a clean way of doing what I'd like, so I ended up setting a cookie with the login time after the user logs in. Then on the login form page, I see if the login time in the cookie is greater than 30 minutes old (my auth timeout in asp.net) and display a "logged out due to inactivity" message. Otherwise it doesn't display the message.
Not great, but it seems to work. Satisfies the requirement for the vast majority of our users.
Related
I'm working in Asp.NET MVC, and am trying to display a message to the user on the login page to inform them they've been logged out. I've got a Client side timer event which essentially fires a request that kills the Forms Authentication and Abandons the session, then forces a page reload which fires the FormsAuthentication redirect to the login page.
It's working pretty well overall, but I'm wondering how I can display a message to the user on the login page to say why it is they've suddenly been redirected. I was storing a flag in TempData, but now that I'm needing to clear Session as well that's not being retained.
I'm currently just loking for a returnUrl in the querystring which is ok but not great - is there a better way to detect to pass a message through that the user has been logged out?
Thanks in advance.
I have a small simple problem, however the following is quite lengthy to explain the issue more.
I have an MVC 4 application using forms authentication. I have it setup using browser session cookies so that they can use the site for as long as they want, but as soon as they close the browser it in essence logs them out.
Now I have added an extra layer of security in the form of an idle timer, so that if they are idle for, say, 5 minutes, an ajax request is sent to the server to delete the forms auth token, return a session expired partial view, and show this session expired view as a modal dialog.
This dialog has a label that shows the users name, and a password input field so they can re-enter their password.
What this means is that if anyone opens up another session they will just go to the login screen as no-one is logged in, and teh same happens if they just refresh teh current screen. But it also means that if the user enters their password on the timeout screen the dialog sends an ajax request to the server to login them in again, and then just removes the dialog.
This all works (mostly) perfectly and they will be on the same screen as they were before, and they will also have everything filled out as they did before for example if they were in the middle of filling out a large form etc.
The issue is, if they have 2 different tabs open in their browser, the first one times out, shows the timeout screen with their name and the password entry box as expected, but the 2nd browser tab when it makes the request for the time-out screen to the mvc method, does not find a logged in user, as no-one is logged in as the person was logged out with the first time-out request. How can I get round this problem? Is there a simple solution? Or is there a better design for how I am doing this?
I've seen this issue in live sites and it's really annoying. It forces users to only have one tab open to avoid getting logged out.
Could you solve it by not logging the user out on the server once the timeout hits, but only delete the session cookie? That way the user will still see the timeout screen on the idle tab, but can still work with the other tab. It can still be an inconvenience, but I think if you really want that timeout screen it might be the way to do it. Unless you want to do it with WebSockets or something similar.
I am developing a simple email portal as my college assignment and I refer gmail for various features.Now when we sign into a gmail account and then if we hit the back button of the browser we somehow still remain on the inbox page.In my case after login if I press back button I comeback to the login page.Please suggest how can I achieve this.Also I am a newbie to ASP.NET so keep it detailed
Very simple. When loading the login page, check the user's current session state, and if they're already logged in, redirect them to their inbox.
The trick is to use javascript's "history.replace(...)" function:
http://www.hunlock.com/blogs/Mastering_The_Back_Button_With_Javascript
In essence, you remove previous history entries.
net application, i have one intermediate page(index.aspx) between login.aspx and default1.aspx.
The job of index.aspx page is to check authenticated user role and then just redirect request to valid defaultpage i.e default1.aspx, default2.aspx, default3.aspx.
For this type of requirement our loginpage rendering time is more also after authentication default page rendring time is also high.
For login page it will take around 30-40 sec for first client request.
Please suggest me right way to solve this so that login page come as soon as possible.
Are you sure this isn't just ASP.NET startup time, effectively? I suggest you create an unauthenticated page which just has static text, just for test purposes - I suspect that will take just as long as your login page.
If it's not startup time, I suggest you sprinkle your login page with logging so you can see exactly when it's got to which bit of code - that should help you track down the bottleneck. While you're waiting for the login page, is the CPU busy on the server?
why don't you use asp.net authentication membership class?
Judging by your question, it doesn't seem that you are.
When i hit back in the browser the user is still logged in. can someone help please?
I'm assuming mean:
"After the user logs out, if they then press back in the browser the page says they are still logged in. How do I stop this?"
If so, what the user is seeing is the browsers cached version of the page - they are not actually still logged in, and if they were to browse elsewhere, then they would see that they are now logged out.
I often get around this by having the LoginStatus control have a LogoutAction of Redirect, and the LogoutPageUrl set to something like the homepage.
That is the correct behaviour for most web applications. Being logged in is a question of state, and does not rely on the page you are viewing.
If you want the back button to log the user out, then it would seem that it is a case of whichever page the previous one was, is where you want logged in users to be automatically logged out. It might be the case that the previous page (accessed through the back option) is the login page, where you would want logged in users to automatically be logged out.
To get a more accurate and more helpful answer, you should specify what behaviour you are expecting, and include details about the authentication system you are using (for example ASP.NET membership).