1

I want to detect when a asp.net Form Authentication ticket has expired. I then want to log to the server the user that was signed out because of inactivity. Is there an event that fires on the server when the authentication ticket has expired?

<sessionState mode="InProc" timeout="5"></sessionState>
<authentication mode="Forms">
  <forms loginUrl="~/Home/AccessDenied" timeout="5" />
</authentication>

In the global asax file, I have tried the Session_OnEnd(). But the context.user object is null. When i call membership.getuser() it returns null also. I have tried making the session timeout before the auth but that doesn't help. I am using mvc3 and ii7.5.

Ryand.Johnson
  • 1,906
  • 2
  • 16
  • 22
  • 1
    I added a timer on the client. It pops up a notification that tells the user they have been inactive for some time. If they want to extend their session then I send an ajax post to the server and do an update on the Membership User object. Which extends their forms authentication session. I am open to other suggestions – Ryand.Johnson Nov 03 '11 at 17:13
  • You could use a combination of this method to determine the timeout by reading the ticket and adding that value to the javascript that goes to the page. – Adam Tuliper Nov 03 '11 at 18:24

1 Answers1

3

Session and forms authentication have two completely separate timeouts. See my posting on this here:

How can I handle forms authentication timeout exceptions in ASP.NET?

In Application_PreRequestHandlerExecute you need to check the ticket.

Also be sure your session and forms auth timeouts are in sync using the code I posted there. Not just setting both to say 60 minutes. Since forms auth doesn't update the 'touched' time until half of the time passes by, and session time is updated on every request, they get out of sync.

Community
  • 1
  • 1
Adam Tuliper
  • 29,982
  • 4
  • 53
  • 71
  • Thanks for your response. I am trying to find out when the forms auth ticket expires. Your solution works if they click on another page. But if they close the browser, i do not know when the form auth ticket expires. – Ryand.Johnson Oct 17 '11 at 18:45
  • You wont. the ticket isnt held on the server. The server knows _nothing_ about the ticket. Its completely held on the client side, which is a reason these were hacked with the POET vulnerability a year ago. It is only checked when you send it to the server with a request (or lack thereof on a request) – Adam Tuliper Oct 17 '11 at 20:34
  • It was not possible as Adam stated. To work around it, I used Jquery to count down when a user stopped interacting with the site. Then i popped up a dialog once their session was about to expire. If they clicked 'extend' then I sent an AJAX call to the server. The call called membership.updateuser which extended the timeout for the forms auth ticket. – Ryand.Johnson Dec 02 '11 at 15:27