What sets System.Security.Principal.Identity.IsAuthenticated after Session timeout?

Question

I am currently adding an action filter to handle session timeout in our site:

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = false)]
public class SsoExpireFilterAttribute : ActionFilterAttribute
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        if(!(filterContext.Controller.GetType() == typeof(HomeController) 
            && filterContext.ActionDescriptor.ActionName == MVC.Home.ActionNames.Index))
        {
            if(filterContext.ActionDescriptor.ActionName != MVC.Home.ActionNames.TimeoutRedirect.ToLower())
            {
                if (!Thread.CurrentPrincipal.Identity.IsAuthenticated)
                {
                    if (filterContext.HttpContext.Request.IsAjaxRequest())
                        filterContext.Result = new JsonResult { Data = "_Logon_" };
                    else
                        filterContext.Result = new RedirectToRouteResult(
                            new RouteValueDictionary
                        {
                            {"Controller", "Home"},
                            {"Action", "TimeoutRedirect"}
                        });
                }
            }
        }

        base.OnActionExecuting(filterContext);
    }
}

I am expecting the IsAuthenticated flag on Principal.Identity to be false following timeout, however it is remaining true when it is hit in the action filter. (I know the session has timed out as I have put a break point on the Session_End in Global.asax and this is hit first).

The authentication for our site is handled by a company standard "Single Sign On" dll, so I'm guessing that this is setting a separate authentication timeout, does this sound likely?

Any help is appreciated.

I may be wrong but i think this article might come in handy http://www.hanselman.com/blog/SystemThreadingThreadCurrentPrincipalVsSystemWebHttpContextCurrentUserOrWhyFormsAuthenticationCanBeSubtle.aspx or this Article http://stackoverflow.com/questions/6810808/thread-currentprincipal-identity-vs-httpcontext-user-identity — Blast_dan, May 10 '12 at 15:13

score 2 · Answer 1 · answered May 10 '12 at 15:17

2

I think you want to replace Thread.CurrentPrincipal.Identity.IsAuthenticated with HttpContext.User.Identity

I think what your doing with Thread.CurrentPrincipal is asking if the User that is actively Serving the Web Application on your server is authenticated. What you want to do is ask if the User is authenticated.

answered May 10 '12 at 15:17

Blast_dan

1,135
9
18

Thanks for this, I replaced Thread.CurrentPrincipal with HttpContext.User.Identity but got the same result. I think it is the case as MajoB says is that the session has timed out but the authentication cookie is still authenticated. +1 though as I have definitely learned something from your answer and the link to Hansleman's blog post – Declan McNulty May 11 '12 at 10:22

score 1 · Answer 2 · edited May 23 '17 at 12:27

1

Session and authentication cookie are different things. You can have user which is still authenticated but has expired session. look at this post: asp.net cookies, authentication and session timeouts

edited May 23 '17 at 12:27

Community

1
1

answered May 10 '12 at 16:40

Marian Ban

8,158
1
32
45

Thanks, you're right as I can see that the session has timed out but the Principal.Identity is still authenticated. – Declan McNulty May 11 '12 at 10:24

score 0 · Accepted Answer · answered May 11 '12 at 10:26

0

Possibly a bit of a cop out, but after consulting with other teams in the business I am going to follow the model of other sites that use the corporate "Single Sign On" dll and use a Session.KeepAlive method so I'll have no need for this action filter.

answered May 11 '12 at 10:26

Declan McNulty

3,194
6
35
54

What sets System.Security.Principal.Identity.IsAuthenticated after Session timeout?

3 Answers3