I am trying to "marry" them up together. so lets say if session timeout is 2 minutes and same with forms authentication.
I want the ability to redirect the user to a page. (no, not using meta tags or anything to refresh the page) on any navigation after the time out.
Sure, create a control and drop it in the master page. All good
but there doesnt seem to be a way to determine if a user was logged in and if so... do what I need to do (i.e Signout and redirect) but it should not impact users who have not logged in.
The only time objects are being added to the session is when the User has logged in. infact the only object in session is a Custom User object.
I have 3 seperate applications (under the same domain) for which I use Forms authentication with single sign-on.
The 3 applications have different session timeout periods. I was on various articles that when we use forms authentication and specify the loginurl in the <Forms> tag in the web.config, it should automatically get redirected to the login page, when the session timesout. But in my case, it doesn't happen, I think because of different timeout values.
I have a web app containing a silverlight application. How do I keep the ASP.NET session / Forms Authentication alive when the user is using the silverlight application?
I simply want to display a message on the login page when the user is automatically redirected there after requesting a page that they were logged in for but their session has now expired. So essentially if the user was working but stepped away for a lunch break without logging out I want the system to tell them why they were sent back to the login page.
Something like "You have been idle for too long so you must log back in".
This has to be easy I am just running into a wall here. I thought about getting the original ticket and reading the expiration date but I'm a little lost.
We're using ASP.NET and IIS 6.0. I realise that the definitions of applications, websites and virtual directories are ill-defined in IIS 6, and changed a lot in IIS 7. However, I'm stuck with IIS 6.0 for now.
We have a single web site defined in IIS, and a number of separate sub-sites in Virtual Directories.
The scheme looks like this:-
[URL]
[URL]
site1, site2, ... are virtual directories in IIS 6.0, under the "Default Web Site".
I need to use ASP.NET sessions and forms authentication in most of these sites, and I don't want them to share authentication data or session information at all.
Both the mechanisms currently depend on cookies. However, the cookies created by default use the same name, and have a path of "/" in the browser, meaning the sites' cookies will clash with each other.
Without changing the default name for each cookie, how can I enforce separation between my sub-sites? Do I need to change the virtual directories for IIS 6 "Applications"? Or is there some way in code to enforce a more limited scope for the cookies?
Using VS 2010 RC, VB, and Forms authentication to allow access to the site, depending on the login rights of a user, I want to turn on and off access to certain pages. I can turn on and off buttons to access the pages, but a user can type the page into the url, and it will still go to them.
In our application we are using forms authentication, we have given defaulturl also in the config file. But the problem is that it is not getting redirected to the default url when the session timeout is occuring.
I need to realize for administrator ability to block/unblock user. I do it by following way:
[Code]....
but if this user is already logged that these changes will be only during next login. I need to throw this user to login page in next his request. I have 2 way:
Is it possible to validate a user's Username + Password without logging them in? I understand a usual login block will look like this:
[code]....
With the Membership.ValidateUser() call setting the cookie for the response.
However, there are some additional checks I'd like to perform after the password is confirmed. (Pulling out an expiry date for that user, for example).
Is there a way to do it without just calling FormsAuthentication.SignOut(); after invalidating the page?
Im working on a website where users can log into a members area, inside this area they will be able to communicate with other members.
In order to keep an accurate list of who is online and who is not, I would need to update a IsOnline field in my database when they log on and when they exit my website..
The login part is easy, but how can I determine if someone is leaving my website to go to another, or closing the browser.
I want to password protect an area of a website by a login/registration form.
I'm using session variables to check wheter the user is logged in or not. I already have a database with users/passwords... so I thought that the membership approach wasn't an option... (correct me if I'm wrong)
in the constructor of the controller of the area I want to protect I've added the following:
[Code]....
but this throws an error:
Server Error in '/' Application.
Object reference not set to an instance of an object.
Description: An unhandled exception occurred during the execution of the current web request. review the stack trace or more information about the error and where it originated in the code.
Exception Details: System.NullReferenceException: Object reference not set to an instance of an object.
Source Error:
[Code]....
Line 28: this.productsRepository = productsRepository;Line 29: Line 30: if (Session["user"] == null)Line 31: RedirectToAction("List", "Products");Line 32: }
I have an MVC app that uses [Authorize] to protect the private bits. When I select the SignOut() URL it signs me out but if I hit the back button on my browser the it goes to the secure page and even lets me use the form. The action takes place and then it shows that I'm signed out. The problem is that it performs the secured action (inserting a row into my database). Then I can use the back button again and do it all over. If I use the back button after logging out and hit the browser refresh it does show I'm logged out and refuses me access to the secure page. Am I missing something important? It seems like it could be a really big security issue.
public ActionResult LogOff(string ReturnUrl) { FormsAuth.SignOut(); if (!String.IsNullOrEmpty(ReturnUrl)) { return Redirect(ReturnUrl); } else { return RedirectToAction("Index", "Page"); } }
Is there any way that I can create a session variable AFTER authentication? It needs to be populated from the users record in a sql database. Basically I tried using Application_AuthenticateRequest in global.asax with an application variable but this made it available to all users. Using session_start is not working as when this runs my user is not currently logged in, so the variable is always empty when I try and grab it's value.
I have a Default(contains the sign-out button) and Login page, once the user is not authenticated, it will always redirect the user to login page.
So the scenario is when the user hit the sign-out button it will redirect him to the login page which is good. My problem is, when the user hits theprevious or back button from the login page,it will still read the authorization cookies and redirect him to the default page. which should not be the case. the user should be redirected to login page when authentication is invalid.
I've read some solutions on the net, but still it doesn't work for me. below are the codes I've used for my sign-out function
[Code]....
By the way, when the user is authenticated, the previous or back button is available/enable for the user.
I am checking if the login session is still available on the client side in Jquery. What i did i created a web method to be called as a pagemethod on the client side. the webmethod is defined like this
and in my Jquery i have functions that perform different operations and before those function execute, i will need to make sure that the user is still logged in, so i will call the web method on the client side like this
function OnCheckSessionExpirationComplete(result) { //Callback function }
i know the webmethod should be void because the boolean value is not used at all on the client side or anywhere in the app. Now my question is. My Assumptions are , looking at the webmethod that is being called on the on the client side, it will execute first and if the session is null and it will not continue to execute. The client side code that was about to follow Please clear my assumption. Mybe there is something i don't know about Jquery that will make it continue even if the page redirection code is fired.
I set these setting below at the Web.config of my site And it still return me to the loginpage after about 20 mins I checked the Properties of the site at IIS and the time out is 660 However at the properties of the defaultWeb it's not 660 since it will influence all the sites and that I don't want
I'm currently developing a website using .net MVC 3 and I'm on the authentication layer...Here is the scenario: user is logged with the "remember me" option checked : a user Session is created on the server as well as the authentication cookie on the client side.The Session timeout is set to 20 minutes.After 25 minutes of inactivity the user goes back onto the website and Session, now expired, does not exist anymore but the authentication cookie still exists
