3

In ASP.NET MVC in one of the WCF services I place an object into the HttpContext.Current.Session object.

When the session times out and the session is cleared of all objects I want to log the user off but have been unable to find a way.

In Global.asax

when the Session_end method is called the Response object and HttpContext.Current are both null.

Any ideas how to log the user off is appreciated.

TheWommies
  • 4,922
  • 11
  • 61
  • 79
  • Won't that depend on how you've implemented membership in the first place? – Rowan Freeman Aug 28 '14 at 06:05
  • Sorry for my ignorance, just maintaining existing work and not privy to everything. There is a Controller with a Login method that uses ttpContext.GetOwinContext().Authentication and calls SignIn and SignoOut methods respectively to log in and out users. I am unsure how to call this controller from teh Global.asx file or just when the session expires in general. – TheWommies Aug 28 '14 at 06:18
  • This is going to be manual, there is no automated feature. You'll have to detect no session, and call the corresponding code to logoff the sure. – Erik Philips Aug 31 '14 at 23:25
  • What authentication scheme are you using (Forms, WebSecurity, Identity, etc)? – Erik Philips Sep 02 '14 at 15:54
  • Can you describe further what you mean by "log the user off"? If the session has expired, the user has gone. Is there some server-side clean-up you want to do? – Matt Tester Sep 03 '14 at 03:52

4 Answers4

2

When the session times out the user no longer exists in any case. If what you are trying to do is clean up open browser windows you would need to implement a timer based on time remaining before session expiration.

SignIn and signout have to do with adding or deleting cookies or tokens to authenticate with an external service. The call that you see should be in the login controller and should not be moved to the global.asax.

No additional action is required.

Mike Beeler
  • 4,081
  • 2
  • 29
  • 44
1

I think it is wrong practice to try to keep session and authentication cookie in sync. Session and cookie are different things. You can login with multiple users during the same session period. You start a new session when you open some url and it ends when you close the window or it expires on the server side. For more information about session - authentication cookie relationship please read the following answer: asp.net cookies, authentication and session timeouts

Anyway if you want to do it you can use one small trick. You have to periodically call your server with ajax call for example call YourWebsite.com/chcecksession page each n seconds. There you have to check for the existence of a session variable. If it does not exists anymore then simply call FormsAuthentication.SignOut(), refresh your page and the user will be logged out.

Community
  • 1
  • 1
Marian Ban
  • 8,158
  • 1
  • 32
  • 45
  • Instead of cookies is there anything wrong with using claims to add more information about a user? – TheWommies Sep 08 '14 at 04:00
  • @TheWommies claims are designed to store user related information, thus it is ok to use them. – Marian Ban Sep 08 '14 at 11:00
  • Thanks, just curious doesn't periodically polling the server just resets the session timeout? Therefore the session will never expire which I do want if the user is inactive – TheWommies Sep 08 '14 at 23:34
  • @TheWommies yes it resets the session timeout after each requests, but you can't rely on this because it will expire also when application pool is restarted or when you change the web.config – Marian Ban Sep 09 '14 at 05:16
1

I'm not sure about your implantation of WCF as I'm not that versed in WCF. I'm currently building a large scholarship application and we want to restrict logins to a single login per user. I have a table setup to track the userID and a GUID that I store in their Auth Cookie. You could use a session ID instead. I'll be caching the table and refreshing the cache each time I add or remove an entry. I'm using SignalR (you can get as a NuGet package) to maintain connections with each of our clients. When they close their browser SignalR can immediately report that the user is gone and I can terminate their record from the session tracking table. In your case, you could kill the session. Additionally if a user tries to login again, I can see they are already logged in. I then kill their original session and allow them to log in new.

It took a few hours to get used to using SignalR and I highly recommend the videos on Plural Sight.

CubeRoot
  • 552
  • 2
  • 13
1

Set both timeouts in following configuration to exact number of minutes. Make sure you set slidingExpiration to true, that is same as authentication will continue to extend to 30 minutes after each request, as session continues to extend after each request.

<authentication mode="Forms">
  <forms loginUrl="~/Auth/SignOn.aspx" timeout="30" slidingExpiration="true" />
</authentication>

<sessionState timeout="30" />
Akash Kava
  • 39,066
  • 20
  • 121
  • 167
  • The code is using ApplicationCookie as below code shows Is there a way to change ExpireTimeSpan after the application has started? It depends on what the user has logged in as that I want to set the time out app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie, AuthenticationMode = AuthenticationMode.Active, LoginPath = new PathString("/Account/Login") ExpireTimeSpan = TimeSpan.FromSeconds(5) }); – TheWommies Sep 08 '14 at 05:50