This is a webform asp.net 4 application. The Formsauthentication method is used.
web.config:
<sessionState
mode="InProc"
cookieless="false"
timeout="1"/>
<authentication mode="Forms">
<forms defaultUrl="~/Default.aspx"
loginUrl="~/Login.aspx"
slidingExpiration="true"
timeout="25" />
</authentication>
The problem is that, when a user logouts, I need to perform some actions (e.g., logging something in the DB).
The case when a user click on "logout" link is pretty easy.
Now I am dealing with logout due to timeout, and I'm facing two different scenarios:
- The session expires and the authorization doesn't
- The authorization token expires and the session is still valid
In scenario #1, I tried the following:
Sub Session_End(ByVal sender As Object, ByVal e As EventArgs)
If Not String.IsNullOrEmpty(Session("Username")) Then
Try
' custom action..
FormsAuthentication.SignOut()
Session.Clear()
Session.Abandon()
Catch ex As Exception
' log the exception
End Try
End If
End Sub
but here I have two huge problems: User is not available in this context (i.e., I can't chech User.Identity.isAuthenticated, therefore I'm checking Session("Username")) and FormsAuthentication.SignOut() raises a nullreferenceException. How can I logout the user from the FormsAuthentication "zone"?
Scenario #2 is more complex, as I read that there is not an explicit event fired when the authorization is expired. My "willing" is to be able to perform the same custom actions for the user just a moment before the expiration happens. Is it possible in some way?
Will some sort of custom authentication provider let me handle these cases in a better and more robust way?
