Is there an event that gets fired right after ASP.NET authentication has failed to identify the user? I need to trigger an alarm every time that happens. Don't offer to implement custom membership provider nor to do it from the Login form's controller. I'm looking for native ASP.NET pipeline event. HttpApplication has two events: one for before Authentication and one after, but nothing for failure.
As far as I remeber, yes:
Have a close look at the logging capabilites of the HealthMonitoring section. It is not only possible to log errors, but also events such as successfull logins or failed login.
Have a look at http://www.asp.net/hosting/tutorials/logging-error-details-with-asp-net-health-monitoring-cs
I guess eventName="Failure Audits" is the way to go
Related
In my ASP.NET MVC 5 web app, using FormsAuthentication, I want to determine if a user is still logged-in. Doing this for users who sign themselves out by clicking on the Log Out button is pretty straightforward - I can handle that event and set the flag in my database to indicate this user has signed out.
But I am not sure how to handle users who close the browser without signing them off voluntarily (by clicking the button).
I did some research but I don't think I can rely on Session_End event handler. Or can I?
am using ASP.net MVC 5 with Identity 2
Is there a way to be notified when a user becomes logged out with an ASP.net MVC
Note: A user can become logged out without visiting or clicking a "logout" link.
When a user is logged out i want to fetch clear some session related information, and write to a database.
thanks
You can do this with SignalR without much difficulty. You can create a table for OnlineUsers and Add/Remove within the OnConnected and OnDisconnected events in your hub.
It would be quite hard to achieve a reliable solution without it.
I'm using Asp.net Membership provider. I want to know which event triggered when a person authenticated on site. ( I mean login)
my authentication mode is forms
<authentication mode="Forms">
I tried
FormsAuthentication_OnAuthenticate
this event at global.asax. But it is triggering not only login, it triggers all requests.
I think Asp.net must have this event. So which is??
I interpret your question in such a way that you want to get one event each time the user logs in, but only once per session. Since you are using Membership provider I guess you also use the login control.
In that case it seems to me that are looking for the LogggedIn, not in the global.asax but as an event of the Login control.
Occurs when the user logs in to the Web site and has been authenticated.
http://msdn.microsoft.com/en-us/library/system.web.ui.webcontrols.login.aspx
I am developing a web site using ASP.Net 3.5 C#. I am listing all the Online users ( users who re logged in on my site) in my site. I want to track and update user's status in Database when a user has logged out or simply closed the browser or navigated to some other site. In all these cases I want to update user's status as "Logged Out".
How can i move forward with it.
Thanks
Vivek
When the user clicks the button, you can just handle the click event on the server-side (in code-behind) and then log the status change.
For the case where the browser is closed, you can handle the Session_End event in the global.asax, which fires when the session ends:
public void Session_End(object sender, EventArgs e)
{
// Fires when the session ends
}
Legitimate logout (i.e. Logout by clicking on logout button etc.) can be tracked easily. You just have to handle the event and mark their database status logged out.
However closing the browser is one thing I never had a good success with. You will get many solutions over web which would tell you to capture the close button and then ajax request etc, but I did not have success with any one with that.
(Things like Session_End may come handy but there is a Gotcha that thisevent does not get fired, if you are using anything other than IN-PROC session mode so that's not reliable).
You don't really know if the user has closed the browser or not, or if he navigated to another site. I think you need to use some sort of AJAX control that would send some messages to the server in a given time interval to make sure the user is viewing your site.
First check my answer in this other question:
session Handling in asp.net
You wouldn't be able to immediately close a session and track this change if some user closes the browser, shutdowns computer or something like that. This is achieved by playing with session timeout.
Another possibility could be consider an user online if it triggered some operation against the server in some time interval, thing that'll be implemented in your server logic.
Logging out should be easly trackable because it's an "human user" action. Just implement a "UserLogout" event in your authentication manager class or any other class handling authentication and track logouts there.
Client-side user actions like browsing to another page or closing Web browser can't be tracked because technology limitations: API lacks in this area. It's more because of Web paradigm and its principles. You'll need to miss that.
I'm basically looking for the event that is the opposite of FormsAuthentication_OnAuthenticate. I want to remove some values from the database when a user logs out. I tried putting it into the Session_End event, but it seems that the user is already gone by the time this executes.
Update:
If I can't determine when a specific user is deauthenticated (ie, due to session timeout) then is there a way to get a list of all currently authenticated users? If I could, then in the Session_End I could just remove the records from the DB that are not associated with a currently authenticated users.
Session_End isn't guarenteed to fire - if you're not using InProc sessions for example, then it won't fire at all. If your application recycles or dies, again, it won't fire.
Your best bet would be to have this code in a shared method that you can call from numerous places:
In your LoginStatus control you can set the LoggingOut event - call your method there to handle people who log out sensibly.
If you're using InProc sessions, in your Session_End event, but make sure you check to see if they are logged out already (as you've seen).
If you're not using InProc sessions, you'll need to get a little more creative. Perhaps look at having an event that fires every now and then (perhaps on Session_Start which does fire regardless) that goes through and clears out those users who's last active time is older than the session timeout (as mentioned by Greg).
Unforunately the Membership class gives you some useful details, but not all of them:
GetNumberOfUsersOnline
This will "Gets the number of users currently accessing an application." - great, but the only methods that will get users either:
GetAllUsers // Gets all the users from the storage provider (can be paged)
FindUsersByName
FindUsersByEmail
Sadly none of these have a property to only return "active users" as per the count.
Looking at the members of MembershipUser there isn't a "IsOnline" property - only LastLogonDate and LastActivtyDate - due to the disconnected nature of the web, this is probably as good as you're going to get.
I would imagine you have them logging out via the click of a button or link or something like that. Why not just put the code in that same event / block. Near where you put the FormsAuthentication.SignOut() call.
There is a Session_End handler in the Global.asax in which you could put could that you want to execute when the session expires.
I am not sure that this is what you want though. Session and authentication are two different things. If your authentication technique is providing a FormsAuthenticationTicket to the user (inside a cookie) and that ticket has an expiration, well the expiration of the authentication is controlled via this ticket. It will not be actively managed on the server. Each request the user makes the ticket is provided and the server then determines if the user is still authenticated.
Bottom line is, you can detect when the user's session expires, but you probably won't be able to determine when their authentication expires, unless both expiration values are identical.
If you're using the SQL provider, the aspnet_Users table has a "LastActivityDate" column. If you compare that to the timeout value of forms authentication, you could come up with a list of users are definitely not logged in. Your count would be low if they log out manually with a "log out" link.