FormsAuthenticationTicket Null After Authentication Timeout?

Dec 20, 2010

I'm implementing an authentication timeout detection mechanism per a previous question and answer of mine here. I've implemented an HTTP module that uses the AuthenticateRequest event to run code to capture whether the authentication period has expired. The code to do this is below:

public class AuthenticationModule : IHttpModule
#region IHttpModule Members
void IHttpModule.Dispose() { }
void IHttpModule.Init(HttpApplication application)


The problem is that, once the authentication period has expired (I set it to 1 min to test), there is no longer a forms cookie (see comment in code). This means that the authentication cookie will be null, and I won't make it past the null check in my code. But there's a convenient "Expired" property for a FormsAuthenticationTicket that I feel like I should be checking to see if the period is expired. But how do I get that far if the cookie is no longer there? Is it reasonable to assume the authentication period has expired if there's no longer a forms cookie?

View 1 Replies

Similar Messages:

Security :: C# FormsauthenticationTicket Doesn't Override Configuration Timeout

Jan 7, 2010

I have a testproject and the forms timeout specified in web.config overrules the timeout which I set in FormsAuthenticationTicket. According the documentation, the timeout (expire date) in FormsAuthenticationTicket must override the timeout in web.config.

Documentation found on:



Here is my code:





Now, when I login, i get redirected after 1 minute of inactivity. This isn't supposed to happen, right? I have to be redirected after 2 minutes.

View 1 Replies

Forms Authentication - .NET Updating The FormsAuthenticationTicket?

Sep 21, 2010

when a user logins into my site i create the following authenticate ticket:

// Create the authentication ticket
var authTicket = new FormsAuthenticationTicket(1, // Version
userName, // Username [code]...

The problem i have is that if an administrator changes a user's role or time zone then the next time they return to the site their ticket is not updated (if they selected remember me when logging in).Here's my authentication settings incase it helps:

<authentication mode="Forms">
<forms timeout="10080" slidingExpiration="true" />
<membership userIsOnlineTimeWindow="15" />

I've been reading up on slidingExpiration but as far as i can tell it only increases the expiration time and doesn't renew the contents of the cookie.

View 1 Replies

Cookies - Get FormsAuthenticationTicket Object When Authentication Expired?

Dec 20, 2010

I'm trying to check the Expired property of the user's current FormsAuthenticationTicket to see if the authentication period has expired. But when the period has expired, I'm never able to get enough information to even create the ticket to check. I've tried this:

FormsIdentity id = (FormsIdentity)User.Identity;
FormsAuthenticationTicket ticket = id.Ticket;

But User is null when the authentication period has expired. So that won't work. I've tried this:

HttpCookie authCookie = context.Request.Cookies[FormsAuthentication.FormsCookieName];
FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value);

But the Forms Cookie is gone when the authentication period has expired, meaning authCookie will be null. So that doesn't work.

Is there any way to actually get the FormsAuthenticationTicket object when the authentication period has expired? There must be, because there's an "Expired" property in the object.

View 2 Replies

C# - Difference Between Timeout Property Specified In Web.Config And ExpiryDate Property Of FormsAuthenticationTicket?

Jul 3, 2010

In the Web.Config we have a timeout property. Ex:

<authentication mode="Forms">
<forms loginUrl="~/Login.aspx" timeout="2880"/>

When loggin in, we can specify a ticket expiry date. Ex:

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1, id.ToString(), DateTime.Now, expiryDate, true,
securityToken, FormsAuthentication.FormsCookiePath);

Why there's two places where I can set expiration info about forms-authentication? What's the difference between them? What has more relevance?

View 1 Replies

How To Detect Authentication Timeout

Dec 9, 2010

I've seen multiple articles like this one that explain how to detect that a user's session has timed out. And for clarity's sake, these articles are referring to the timeout value defined by this web.config line:

<sessionState mode="InProc" cookieless="UseDeviceProfile" timeout="120" />

Not to get into that method too much, but this involves checking that Session.IsNewSession is true and that a session cookie already exists. But I haven't seen any articles on how to detect authentication timeout -- the one defined by this web.config line:

<authentication mode="Forms">
<forms loginUrl="~/Home/Customer" timeout="60" name=".ASPXAUTH" requireSSL="false" slidingExpiration="true" defaultUrl="~/Home/Index" cookieless="UseDeviceProfile" enableCrossAppRedirects="false"/>

Multiple articles online, including this SO post, have said that your Session timeout value should generally be double your Authentication timeout value. So right now, as above, my Session is 120 and my Authentication is 60. This means that I'll never get in a situation where the Session has timed out, but the user is still Authenticated; if the user ever times out, it will be due to Authentication, not Session.

View 3 Replies

Security :: Windows Authentication Timeout?

Mar 23, 2011

We currently have a set of ASP.NET application and we are migrating them to use Windows Authentication (used to be form Authentication). We will eventually let the user to connect to our site entering Windows Authentication credentials. When we tested within our system across different domains, we noticed that the authentication session seemed to be cached even with the server session had timed out. In other words, once the user logged in and keeped an Internet Explorer window up (didn't even have to be in ourapplication page), the user could always navigate back to our application without being prompted for security login again. We had our site included in the Trusted Site list of the IE browser.Is that the expected behavior for ASP.NET Windows Authentication? If that is the case, is there a way to end the Authentication cache when the users leave their IE windows idle.

View 7 Replies

Security :: How To Know That Form Authentication Session Timeout

Nov 19, 2010

I have a question regarding Form Authentication Session Timeout

I have a form authentication and i have set the session timeout in my webconfig.

After I login to website using my form authentication, the session is not timing out even after i login more than 30 minutes.

It seems i'm still authenticated and can access everything.

Is it normal ? I thought if we set the timeout in webconfig it will automatically log you out because the session expire.

<authentication mode="Forms">
<forms name=".authentication" loginUrl="Login.aspx" defaultUrl="Default.aspx" protection="All" timeout="30" path="/" requireSSL="false" slidingExpiration="true" enableCrossAppRedirects="true" domain="" />

View 2 Replies

Sesion Timout Vs Form Authentication Timeout?

May 18, 2010

What is the difference between a abandon Session and a cookie timeout, what if the session is abandon and the cookie is still alive, is that can lead to a problem?

<sessionState timeout="1" />
<authentication mode="Forms">
<forms loginUrl="login.aspx" timeout="1" />

View 1 Replies

Security :: Redirect On Forms Authentication Timeout?

Nov 3, 2010

how to redirect to a custom URL on Forms Authentication timeout? The timeout is working but it is only caught when I try to go to a page in my application because each Page_Load method is wrapped in a custom IsLoggedIn method. Here is the settings I have so far in the Web.config.


View 1 Replies

Security :: Handling Session Timeout With Forms Authentication?

May 13, 2010

I have 3 seperate applications (under the same domain) for which I use Forms authentication with single sign-on.

The 3 applications have different session timeout periods. I was on various articles that when we use forms authentication and specify the loginurl in the <Forms> tag in the web.config, it should automatically get redirected to the login page, when the session timesout. But in my case, it doesn't happen, I think because of different timeout values.

View 6 Replies

Security :: Session Timeout Trumps Authentication Ticket?

Jul 2, 2010

here's what I have:

My 3.5 app uses Forms Authentication.

I create an authentication cookie (ticket) with an expiration date of one day.The cookie'sIsPersistent is set to true.

I do not use any session variables.

Session timeout is the default 20 minutes.

Here's the problem:

When the session times out in 20 minutes, the user is redirected to the logon page even though the authentication cookie has not expired.

Why does this happen? I thought the cookie and the session worked independently. Shouldn't the user remain logged in as long as the cookie hasn't expired?

View 1 Replies

Security :: Authentication Timeout While Making AJAX Call?

Sep 13, 2010

I tried to take advantage of jQuery AJAX call to enhance user experience but I am facing a tricky problem.

When the user does nothing for a period of time, e.g. 30 minutes to reach authentication timeout, making AJAX call becomes the problem. The server side will return login page and display in my target div section. The simplest solution I can think of is to inject a dummy tag in login page, and when detecting such dummy tag then use javascript to redirect to login page. But this means that I have to do that every time I make AJAX call.

View 1 Replies

State Management :: Form Timeout Vs. Session Timeout Vs. Connectionstrings Timeout?

Jan 27, 2011

We have the timeout value set to 120 in our <form> tag within the web.config. We do not have a session timeout set.. and we have various connection strings.

We are having a problem where a session variable will disappear (become NULL) .. but, the form evidently remains 'open'.. or no re-login is required..... so, my question(s):

1. what is the relationship between form timeout and session timeout

2. how do I set session timeout

View 1 Replies

How To Create A Website That Has A Custom Authentication/session Timeout For Each User

Apr 4, 2011

I am trying to build an ASP.NET site that allows each user to set their own session timeout value. Basically from the user's perspective if they set their timeout value to 30 then that means that after 30 minutes of inactivity they are required to re-authenticate. If they set their timeout value to 0 then that means that they can leave the browser open as long as they want and their session never expires - they never have to re-authenticate. This is different than "remember me" functionality. If they close their browser they will have to re-authenticate.

Currently I am using Forms Authentication in my application and I have one object that I am storing in ASP.NET session. This object is a custom User object that has a number of different pieces of information about the current user.

What code would I need to write so that after successful login, the system has the proper authentication ticket and the proper session expiration value? I keep thinking I have this working and then I notice weird time outs where the system seems to think I am authenticated but my session has expired.

Currently on my login page I am using an ASP.NET login control. i have custom code in the Login_Authenticate event to authorize the user. Then I have the following code in the Login_LoggedIn event to set the auth ticket.


View 1 Replies

C# - Setting A Timeout Using A Manually Created Forms Authentication Ticket?

Dec 29, 2010

The constructors for manually creating FormsAuthenticationTicket objects force us to set an "expiration" value, and this value overrides the "timeout" setting in web.config in my tags, which is not what I want, because now the user doesn't timeout. The "session" just expires at the given time.I need to manually create my ticket for UserData reasons, and it is just the way I decided to build my app. I guess I could spend a whole lot of time and redo the way my app. authorizes, and store the "userdata" elsewhere... but this seems extremely tedious for something so small..Is there anyway to manually create an Auth Ticket and still maintain timeout settings?! And by timeout, I mean resetting the timer on user activity. Not a fixed timeout!

View 1 Replies

Security :: Windows Authentication Timeout And Page Refresh Using Javascript?

Apr 26, 2010

I have a web page that refreshes every one minute and the solution times out every 20 minutes, would the one minute refresh be considered as user activity and therefore doesn't time out every 20 minutes? And if not, how do I convince the page that the one minute refresh is like a user activity and it shouldn't time out?Here is the javascript to refresh every one minute:


View 5 Replies

JQuery :: Form Authentication - User Suddenly Logs Out Before Timeout?

Jul 12, 2010

I have set the authentication timeout and session timeout in web.config is 100 (in minutes).LoginName control shows logged in username and logout link.After 15-20 min LoginName control shows nothing and login link regardless my authentication timeout(which is 100).I can work on that page till server trip is not happen.

View 1 Replies

Session Timeout With Form Authentication - How To Display An Modal Poup Or Redirect Entire Webpage

Apr 1, 2010

I am using mvc and jquery to make ajax requests and when the session times out after an ajax request the full sigin page gets loaded into my ajax div.

How can I display a modal popup instead of making a redirect when a session times out?

View 2 Replies

Security :: Force To Show To The Logon Popup When The Session Is Timeout In Integrated Windows Authentication Enabled Website

May 31, 2010

I am trying to force to show to the Logon popup when the session is timeout in Integrated Windows Authentication Enabled website. The session_timeout is firing during the session timeout, but the User.Identity.IsAuthenticated is true. How force to use the Windows Logon Screen when the session is timeout.

View 4 Replies

Authentication.Login: AuthenticationService Is Set To Null?

Mar 6, 2011

I am having a nervous-breakdown over the following:I want to automatically login a recently created user that has been added to the database.User data is reflected in the database (SQL Server 2008) after being created.The login code is below:

DatingSite.Views.Signup signupPage = e.Content as DatingSite.Views.Signup;
signupPage.SignupComplete += (se, ev) =>


View 1 Replies

Web Forms :: In Session Timeout Page Is Not Redirecting To Defaulturl In Forms Authentication?

Apr 13, 2010

In our application we are using forms authentication, we have given defaulturl also in the config file. But the problem is that it is not getting redirected to the default url when the session timeout is occuring.

View 2 Replies

State Management :: Session Variable Authentication State Timeout?

Dec 3, 2010

I am building a web app that is limited to one database, therefore I cannot use the ASP.NET config tool. As a quick means of getting this app online, I tried to use a simple session variable. The login page verifies the user's credentials, and if they pass, it sets the session variable to a certain value. All other pages check in the page_load event whether or not the session variable is equal to that value. The problem is that once being logged in for a short while and sending and recieving some data, the session variable resets, and I'm returned to the login page to repeat the process. Here's the basic code from my webforms:


Is there some setting I need to change in the web.config file to adjust the cookie timeout or is that only for the config tool authentication methods?

View 5 Replies

DataSource Controls :: SQL Statement Timeout / System.Data.SqlClient.SqlException: Timeout Expired?

Jan 20, 2010

Hopefully I am posting this in the correct forum.

I am having a problem with my ASP.Net Web application. The application is developed using and is linked to a SQL Server database. Let me explain how the application works and the problem I am experiencing. The system is an online web app which allows registered users to create a CV online. One of the pages within the app gives users the chance to add a cover note to their CV. The page that allows them to do this consists of only a textarea control and a button control. The textarea allows users to input up to 4,000 characters.

Once the user clicks the 'Save' button to save their cover note info, the following code then executes.This code checks to see if the CV already has cover note info, if it does, then the application runs an update statement, otherwise, it runs an insert statement.The table within the database which records the cover note information is called tbl_covernote and has three columns, covernote_id (int and autoincrement), cv_id(int), covernote_text (nvarchar(max)).

The error which occurs sometimes is as follows:

Dim dr As SqlDataReader
Dim param(0) As SqlParameter
Finally [code]...

View 11 Replies

AJAX Timeout Although Request Is Completing Long Before Timeout Duration

Feb 15, 2010

I have an ASP.Net application that makes an AJAX request to retrieve at report. The report can run for a long time so I set the asyncpostbacktimeout in <asp:ScriptManager /> to 600. However, when I try to run the report, if it runs for longer than 90 seconds it fails to come back. I can see in the IIS logs that the POST request succeeded with a 200 status and I can see the time taken is much less than 600.

The web page dutifully waits for the entire 600 seconds before returning with a timeout error:



The server request timed out.

Is there any setting I should be checking in IIS? Connection timeout is 900 seconds.

View 1 Replies

Copyrights 2005-15, All rights reserved