Forms Authentication Timeout vs Session Timeout

asp.netFormsSessionTimeoutasp.net 3.5

asp.net Problem Overview

In my asp.net website i am using asp.net form authentication with following configuration

<authentication mode="Forms">
	<forms loginUrl="~/Pages/Common/Login.aspx"
           defaultUrl="~/Pages/index.aspx"
           protection="All"
           timeout="30"
           name="MyAuthCookie"
           path="/"
           requireSSL="false"
           cookieless="UseDeviceProfile"
           enableCrossAppRedirects="false" >
	</forms>
</authentication>

I have following questions

  1. What should be timeout value for session because i am using sliding expiration inside form authention due to which session will expire before form authentication. How can i protect it?

  2. After formauthentication log out i would like to redirect page at logout.aspx but it is automatically redirect me at loginpage.aspx. How is it possible?

asp.net Solutions

Solution 1 - asp.net

  1. To be on the safe side: TimeOut(Session) <= TimeOut(FormsAuthentication) * 2
  2. If you want to show page other than specified in loginUrl attribute after authentication timeout you need to handle this manually as ASP.NET does not provide a way of doing it.

To achieve #2 you can manually check the cookie and its AuthenticationTicket for expiration and redirect to your custom page if they have expired.
You can do in it in one of the events: AcquireRequestState, AuthenticateRequest.

Sample code in the event can look like:

// Retrieve AuthenticationCookie
var cookie = Request.Cookies[FormsAuthentication.FormsCookieName];
if (cookie == null) return;
FormsAuthenticationTicket ticket = null;
try {
    ticket = FormsAuthentication.Decrypt(cookie.Value);
} catch (Exception decryptError) {
    // Handle properly
}
if (ticket == null) return; // Not authorised
if (ticket.Expiration > DateTime.Now) {
    Response.Redirect("SessionExpiredPage.aspx"); // Or do other stuff here
}

Solution 2 - asp.net

For sites that have a session dependency, you can simply sign out of a stale authentication with the session start event in the global.asax:

void Session_Start(object sender, EventArgs e)
{
  if (HttpContext.Current.Request.IsAuthenticated)
  {

    //old authentication, kill it
    FormsAuthentication.SignOut();
    //or use Response.Redirect to go to a different page
    FormsAuthentication.RedirectToLoginPage("Session=Expired");
    HttpContext.Current.Response.End();
  }

}

This makes it so that new session = new authentication, period.

Categories
Recommended asp.net Solutions
Recommended Forms Solutions
Recommended Session Solutions
Recommended Timeout Solutions
Recommended asp.net 3.5 Solutions

Previous Solution:

C++ singleton vs. global static object

C++StaticSingletonGlobal Variables

Next Solution:

Find a jar file given the class name?

JavaJarDependencies

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionHemant KothiyalView Question on Stackoverflow
Solution 1 - asp.netDmytrii NagirniakView Answer on Stackoverflow
Solution 2 - asp.netb_levittView Answer on Stackoverflow