I need to do some cleaning when an authentication ticket is expired.
Is there any event that i can subscribe to?
Thanks for any suggestions,
HF
ASP.NET events happen when the user does something, causing a postback to the server. The authentication ticket expiring doesn't cause a postback, hence no way for you to know. You'll have to keep track of the time on your own.
Related
I am implementing site with login via facebook.
I call FormsAuthentication.SetAuthCookie(response.email, true); after facebook authenticates user.
Form authentication timeout is set to 129600 (3 month).
Should i set session timeout to the same value?
As far as I understand session timeout should be as few as possible.
Is it normal if session timeout less then form timeout? (for example form 129600 session 30)
I know that there are many similar questions, but this problem isn't clear for me.
Thanks.
You're using cookies for authentication, your server session doesn't matter. A potential problem is that if you store data on Session object and it expires, that could cause troubles to user since functionality depending on this data would probably fail.
If you handle server Session expiration properly, you won't have any problem.
EDIT
This problem seems to have strangely disappeared. There must've been something funky with my environment. I'm voting to close this question.
When a user logs in, I inflate the session with a bunch of data from the Login page code-behind. Then I redirect the user to a different page in the application. I also have some session recovery logic which re-inflates the session based on the auth ticket when the user's session expires.
What seems to be happening is that I inflate the user's session with a bunch of data from the login page, then redirect them, and the request for the page to which I redirect them doesn't seem to have the session, so the application has to re-inflate it. I don't understand this - I've looked at the cookie and the session ID is not changing, and I am not resetting the session data anywhere in the code. Is this an ASP .NET 'feauture'? I'm using ASP .NET 4.0.
Edit:
To clarify: The session is inflated during the login request (on the click even of the login button). During the next request, it doesn't appear the session is populated any longer, so I end up having to re-inflate the session. Any requests that user makes after that, the session seems to "stick" and I have the properly inflated session for subsequent requests.
To answer your question SessionState data is independent of login/logout.
There are several reasons why data might "disappear" from SessionState.
If you are using InProc SessionState on a web farm, the user may have a subsequent request be served by a different machine in the farm.
SessionState can clear if it gets too full (like a cache).
If you are using a custom SessionStateStoreProvider, it may not be saving/retrieving the SessionState properly.
When a session is timed out in asp.net application, we need to close all the web pages those are already opened by a user.
Each page has sign out link. When the user click on that link, the home page is redirected to that page.
In this case, the other opened pages also needs to be closed.
How can we do this?
For all pages:
AJAX call back to server to check whether Session has expired.
Parse result from AJAX
If session ended then close window or redirect to logged out page.
On the second thought... we can use what #thephpdeveloper said, particularly when user signs out formally... (like clicking the signout button) Once After a formal Sign out happens... Such Ajax Call back can be used, cause the session will be valid but there will not be any user... Using this we can signal the page and close the browser window
As Razzie commented, doing an AJAX callback to the same web-application will keep the session alive. Using a web-service also won't solve the problem.
This solution avoids keeping the session alive:
Store every session in the database. This could be done in the Session_Start event in the Global.asax or after the log-in.
Delete timed-out sessions from the database in the Session_End event in your Global.asax file or after the log-out.
Do a periodical AJAX callback to a different web-application, e.g. a web running on a sub-domain, to check in the database if the session still exists.
I suggest you use the SessionID to identify the sessions.
I am using sessionstate stored in stateserver in asp.net. I have a link on header that displays users login id.
Problem:
When session expires in stateserver my application still displays loginid and it throws an error when hits code that depends on value stored in session.
Looks like asp.net has no idea when session expires on stateserver and continue working on same session with value saved in cookie in user's browser.
To tackle this problem in another application i am checking for session with each request and expire user's session if it's expired in sessionstate.
I am not sure i am doing right thing here. Isn't asp.net suppose to keep session data saved in cookies synced with session in stateserver?
Could you please explain what would be best practice to handle this?
The right practice is to "find" the user's session each time you receive a postback. And right then and there, if you can't find it, report an error that their session has expired and they need to log in again.
If you are using ASP.Net Webforms, you can consider the Load event of the page or control to check whether the session has expired. Here's the relevant code
if(Session["yourvar"] == null)
ShowError();
Thanks For all answers,
By Default my session timeout value for form authentication were higher then sessionstate. That made session on sessionstate expire and cause issues. I think keeping form authentication value little lower than sessionstate would be the best practice.
I have an ASP .NET information and I currently have session state turned off so I can't exactly hook into the session start event within the Global.asax. I want to get at this data, when someone comes to a site, and when they would normally start a session. What is the event that is fired to start a session so that I could hook into it and get at that data?
Without having sessions turned on then every request is a new session. So whatever event you like :)
Unless you're dropping a cookie which acts as a session cookie then there is no way to know if a visitor has been there before.