5

Is there a way to be notified when a user becomes logged in with an ASP.net website?

Note: A user can become logged in without visiting a "login page". If the "remember me" cookie exists, they can hit an arbitrary page and be logged in.

When a user is logged in i want to fetch some session related information.

Note: There is the Login.LoggedIn event. Problem is that that control doesn't exist on every page; and the one page it is present on (Login.aspx) doesn't call OnLoggedIn event.

In the same way that Global.asax has a global On Session Start notification:

void Session_Start(object sender, EventArgs e) 
{
}

i assume somewhere there's a On User Logged In notifiation:

void LoggedIn(object sender, EventArgs e)
{
}

Bonus Reading

Community
  • 1
  • 1
Ian Boyd
  • 246,734
  • 253
  • 869
  • 1,219
  • 4
    i hate when googling my problem (*asp.net global OnLoggedin event*), and the top result is my own question. – Ian Boyd Jun 12 '12 at 18:14

4 Answers4

7

I think you don't have a unique place to do that. In my case (MVC + log4net) I use this:

  • In Global.asax I check for authenticated users with pre-existing cookie.

    protected void Session_Start()
{
    string ip = HttpContext.Current.Request.UserHostAddress;

    log.InfoFormat("Starting session: {0} from {1}.",Session.SessionID, ip);

    if ((HttpContext.Current != null) &&
        (HttpContext.Current.User != null) &&
        (HttpContext.Current.User.Identity.IsAuthenticated) )
    {
        string user = HttpContext.Current.User.Identity.Name;
        string type = "Cookie";

        log.InfoFormat("User {0} logged in with {1}.", user, type);
    }

}

  • In my Account controller I check for local logins (I'm using Internet Application Template from MVC4, but you can do this in your Login.OnLoggedIn if you're using Web forms)

    [HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult Login(LoginModel model, string returnUrl)
{
    if (ModelState.IsValid && WebSecurity.Login(model.EMail, model.Password, persistCookie: model.RememberMe))
    {
        string user = model.EMail;
        string type = "Forms";

        log.InfoFormat("User {0} logged in with {1}.", user, type);

        return RedirectToLocal(returnUrl);
    }

    // If we got this far, something failed, redisplay form
    ModelState.AddModelError("", "The user name or password provided is incorrect.");
    log.ErrorFormat("Bad password or user name. User={0}", model.EMail, model.Password);
    return View(model);
}

  • But I need to check for OAuth logins too, like this:

    [AllowAnonymous]
public ActionResult ExternalLoginCallback(string returnUrl)
{
    AuthenticationResult result = OAuthWebSecurity.VerifyAuthentication(Url.Action("ExternalLoginCallback", new { ReturnUrl = returnUrl }));
    if (!result.IsSuccessful)
    {
        log.Debug("External login failure.");

        return RedirectToAction("ExternalLoginFailure");
    }

    if (OAuthWebSecurity.Login(result.Provider, result.ProviderUserId, createPersistentCookie: false))
    {
        log.InfoFormat("User {0} logged in with External {1} login. External UserID = {2}",
            Membership.GetUser(OAuthWebSecurity.GetUserName(result.Provider, result.ProviderUserId)).UserName,
            result.Provider,
            result.ProviderUserId);

        return RedirectToLocal(returnUrl);
    }

    ...
}
j0k
  • 22,600
  • 28
  • 79
  • 90
Raul Uria
  • 134
  • 1
  • 3
3

You can make the check on Application_AuthenticateRequest on global.asax, is the place that you can check if the request is logged in or not together with your session data, and decide if session data needs initialization as you say.

protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
    string cookieName = FormsAuthentication.FormsCookieName;
    HttpCookie authCookie = Context.Request.Cookies[cookieName];

    //  check for logged in or not
    if (null != authCookie)
    {
        // is logged in... check if the session needs init

    }   
}

Or the same results with 

protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
    //  check for logged in or not
    if(HttpContext.Current.User != null && 
        HttpContext.Current.User.Identity != null 
            && HttpContext.Current.User.Identity.IsAuthenticated)
    {
        // is logged in... check if the session needs init

    }   
}
Ian Boyd
  • 246,734
  • 253
  • 869
  • 1,219
Aristos
  • 66,005
  • 16
  • 114
  • 150
  • i can't really be tied to `Forms` authentication, or to the use of a Forms cookie. If i don't use Forms authentication, or there is no cookie, they can still be logged in. – Ian Boyd Jun 12 '12 at 18:13
  • @IanBoyd If you see I have and the other way of check... with the `HttpContext.Current.User.Identity.IsAuthenticated`, just the first is faster. – Aristos Jun 12 '12 at 18:14
  • i'm doing *something* wrong with the `Application_AuthenticateRequest`, it is called 7 times with the user. – Ian Boyd Jun 12 '12 at 18:26
  • 1
    @IanBoyd Is called on every request for any asp.net resource to check if needs or not authedication, you can make one more check of what file it is, and if is aspx, or handler let it make the rest. Use the `HttpContext.Current.Request.Path` and `System.IO.Path.GetExtension(cTheFile)` to check the extention - sorry must leave the computer, I will return in some hours. Hope this helps – Aristos Jun 12 '12 at 18:28
2

You can call your code in those two places: OnLoggedIn event from the Login control and also when the session starts (using the Session_Start event in your Global.asax), as this will be the first request with the user data. There you can check if the user is logged and if so, do what you need.

Ivo
  • 8,172
  • 5
  • 27
  • 42
  • `OnLoggedIn` event is not called when the user browses to the web-site. – Ian Boyd Jun 12 '12 at 18:10
  • Exactly, that's why I suggest to call the same method you need in your `Session_Start` – Ivo Jun 12 '12 at 18:23
  • That seems to imply that there is no global "OnLoggedIn" event. – Ian Boyd Jun 12 '12 at 18:27
  • There's not. If you put the code in a class you will be able to call it from both places and solve your problem. – Ivo Jun 12 '12 at 20:07
  • Any other gotcha situations? i know users can remain logged in, even though a session ends (i.e. application pool recycles). – Ian Boyd Jun 13 '12 at 13:30
  • in that case, when the next request is done, `Application_SessionStart` will be called. – Ivo Jun 13 '12 at 15:01
2

Although technically being logged in is the same as being authenticated, I have a different mental model of this.

In my mind the three following things are separate issues:

  • User has/gets a session
  • User is authenticated
  • User is logged in

For me the last one of these means: "A session has been created for the user, the user is authenticated and the session has been initialized for the authenticated user".

Using this model, a user can become logged in when:

  • The user logs in on the login page and the pre-existing session is initialized with necessary user data
  • A pre-authenticated user comes to the site and a new session is created and initialized for him/her

Similarly, the user becomes logged out when his/her initialized session is destroyed.

Using this model will mean:

  • You can identify when a user "logs in" either in the Login.OnLoggedIn event the or the Session_Start event in Global.asax. Of course, the session start event fires also for unauthenticated users, so you need to verify that the user is authenticated when the event fires.
  • You can somewhat reliably tell when a user "logs out", either by explicitly loggin out or when a properly initialized session is destoyed in the Session_End event in Global.asax. I say somewhat reliably, because I think the Session_End event(s) will not necessarily be fired when the application pool recycles or dies in a crash. Although I haven't tested this so I might be wrong.
  • A user can be simultaneously "logged in" multiple times. At least in IE you can start a "New session" from the File menu. This starts a new IE which is not sharing the session cookies with any preexisting IE windows. This means a new session will be created by the server when the user comes to the site, and depending on the autentication mechanism used it might mean he/she will also have to authenticate again.

It will not let you "list all currently logged in users" out of the box. You will need to create som way of keeping track of that yourself I think. This can me more or less difficult to do. Especially in the case when your application is running in some sort of load balanced environment, getting a list of all current user can be tricky.

user1429080
  • 9,086
  • 4
  • 31
  • 54