0

I have an MVC 4.0 website with Forms Authentication and am attempting to handle Authentication timeout. Specifically, I need to handle ajax requests differently after a timeout than regular requests because if left to its own devices, MVC's Forms Authentication system will send a 302 Found (Redirect) to the Login page as a response to the ajax request... this ends with the ajax call receiving a 200 Success HttpStatusCode, when that is obviously not what I want to send!

How can I handle the unauthenticated ajax requests?

Extending the AuthorizeAttribute is, of course, not the answer because Authorization only comes in after Authentication. HandleUnauthorizedRequest is never called in this situation (as opposed to the different answers in the question)
I can intercept every request in the global.asax and check it there... but that seems like the wrong way to go about it.

Authorization in my web.config is set like so:

<authentication mode="Forms">
  <forms loginUrl="Login"
         protection="All"
         timeout="60"
         name=".ASPXAUTH"
         path="/"
         requireSSL="false"
         slidingExpiration="true"
         defaultUrl="Main"
         cookieless="UseDeviceProfile"
         enableCrossAppRedirects="false" />
</authentication>

<authorization>
  <deny users="?" />
</authorization>

<sessionState mode="InProc" timeout="60"></sessionState>
Community
  • 1
  • 1
Guy Passy
  • 694
  • 1
  • 9
  • 32
  • Could you maybe use a httpHandler or HttpModule to handle those specific request? – mahlatse Jul 20 '16 at 07:47
  • @mahlatse I'm not sure what you mean... not use MVC Routing and Controllers? – Guy Passy Jul 20 '16 at 08:06
  • check this post, http://stackoverflow.com/questions/15798828/httpmodule-only-on-specific-mvc-route , please check the answer by stockbreak – mahlatse Jul 20 '16 at 08:12
  • @mahltase I have a bunch of controllers that require this check to take place... I don't understand from the post in the other question how HttpModules would help with this... by replacing all of the Controllers with HttpModules? And if so, are they not affected by the Authentication settings in the `web.config`? – Guy Passy Jul 31 '16 at 16:26
  • With a HttpModule, you can intercept your requests before they are processed by the controller, and depending on weather the user is logged in or not, set the response type and the specific error. You will not be replacing the controller, but intercepting execution before it reaches them. – mahlatse Aug 01 '16 at 04:19

1 Answers1

0

So, what I ended up doing was allowing all users in the web.config:

<authorization>
    <allow users="*" />
</authorization>

and then checking in my own code whether the user is authenticated...
There must be a better way though, no?

Guy Passy
  • 694
  • 1
  • 9
  • 32
  • If you are going down that route, then set the [Authorize] attribute on a base controller(if you need the same functionality on different controllers and override the onActionexecuting filter on the controller, handle your ajax request authorization in there. – mahlatse Aug 01 '16 at 04:25
  • I have an `[Authorize]` attribute on a base controller. The problem is that, unless I `allow users="*"`, unauthenticated requests that are not to the Login page don't reach my filters. – Guy Passy Aug 01 '16 at 09:11
  • Then HttpModules are the way to go, check the MS site on how to use them, or even here on stack overflow – mahlatse Aug 01 '16 at 12:25